Improving means of communication have fueled the progress of civilization from mankind's earliest beginnings. From the use of couriers and messengers traveling by foot or horseback; through mail postal delivery by train, truck and airplane; to the advent of the telegram and telegraph, telephone, radio, television, computers, the cell phone; the Internet, email and World Wide Web; and more recently, through social media, voice-over-Internet, machine-to-machine (M2M) connectivity, the Internet of Things (IoT), and the Internet of Everything (IoE), communication has always led the way in exploiting the newest technologies of the day. With each new generation of telecommunications technology employed, the number of people connected and the rate by which information is transferred among them has also increased.
The effect of this trend is that humanity is more connected than at any time in history, with people trusting and relying on communication technology to safely and reliably deliver their private, personal, family, and financial information to only those to which they intend to contact. Knowledge and information can now be distributed in seconds to millions of people, and friends and family can contact one another half way around the world as casually as pushing a button. It is often said, “the world has become a very small place.”
While such progress is tremendously beneficial to everyone, there are also negative consequences of our heavy reliance on technology. It is not surprising that when the communication system fails to perform, e.g. during an earthquake or severe weather, people become disoriented or even panicked by their being “unplugged”, even if only temporarily. The quality of service, or QoS, of a communication system or media is then a critical measurement of a communication network's performance. Peoples' peace-of-mind, financial assets, identity, and even their very lives rely on dependable and secure communication.
Another key consideration of a communication network is its ability to insure privacy, safety, and security to the client using it. As communication technology has evolved, so too has the sophistication of criminals and “hackers” intending to inflict mischief, disrupt systems, steal money, and accidentally or maliciously harm others. Credit card fraud, stolen passwords, identity theft, and the unauthorized publicizing of confidential information, private pictures, files, emails, text messages, and private tweets (either stolen to embarrass or blackmail victims) are but a few examples of modern cyber-crime.
Notable examples of privacy violations and cybercrime at the time of this parent application are listed below to highlight the epidemic proportion of the security problem in today's open communication networks (arranged chronologically):    “Target: Stolen Information Involved at Least 70 million People,” CNBC 10 Jan. 2014    “Hackers Made Smart Fridge and TV Send Malicious emails,” BGR (www.bgr.com) 20 Jan. 2014    “Nest Google Privacy Row Resumes as Thermostat Hacked,” Slash Gear (www.slashgear.com) 24 Jun. 2014    “Account Hijackings Call Line's Data Security into Question. Line, the free call and messaging app, has been rocked by a recent spate of data security breaches. The app has seen hundreds of user accounts illegally accessed by parties other than the accounts' users,” Nikkei Asian Review, 2 Jul. 2014    “Ordinary Americans Caught up in NSA Data Sweep, Report Claims,” AP 6 Jul. 2014    “Smart LED Light Bulbs Leak Wi-Fi Passwords,” BBC News 8 Jul. 2014    “Six People Charged Over StubHub Scam for Prime Tickets. StubHub was targeted by hackers who used stolen passwords and credit card numbers to buy and sell thousands of tickets for pop-music concerts and Yankees games, New York authorities said”, Bloomberg, 24 Jul. 2014    “Internet Of Things' Very Susceptible To Hacking, Study Shows,” International Business Times (www.ibtimes.com) 4 Aug. 2014    “Russian Hackers Amass Over a Billion Internet Passwords”, New York Times 5 Aug. 2014    “New Leaker Disclosing U.S. Secrets, Government Concludes,” CNN 6 Aug. 2014    “Hackers Root Google's Nest Thermostat in 15 seconds,” The Enquirer (www.theinquirer.net) 11 Aug. 2014    “Dairy Queen Hacked by Same Malware that Hit Target,” Christian Science Monitor 29 Aug. 2014    “Celebrity Victims in Leak of Nude Photos—Security Vulnerability in iCloud Accounts,” CBS News, 1 Sep. 2014    “Home Depot May be the Latest Target of Credit Card Breach . . . Home Depot breach could be much larger than Target (40M cards stolen over 3 weeks),” Fortune, 2 Sep. 2014    “Mysterious Fake Cellphone Towers Are Intercepting Calls All Over The US,” Business Insider 3 Sep. 2014    “Hack Attack: From Banks to Retail, Signs of Cyberwarfare?” Yahoo Finance 3 Sep. 2014    “Home Depot Confirms Payment System Hacked In U.S. And Canadian Stores,” Fox News 9 Sep. 2014    “Yahoo Waged Court Fight with U.S. Government Over Surveillance,” CBS/AP 11 Sep. 2014    “Your Medical Record is Worth More to Hackers than Your Credit Card,” Reuters 24 Sep. 2014    “Red Alert: HTTPS Has Been Hacked. Browser exploit against SSL/TLS (BEAST) attack will rank among the worst hacks [sic] because it compromises browser connections hundreds of millions of people rely on every day,” InfoWorld, 26 Sep. 2014    “Sony Cyberattack, First A Nuisance, Swiftly Grew Into a Firestorm,” New York Times, 30 Dec. 2014
In what appears to be an escalating pace of cybercrime, security breaches, identity thefts, and privacy invasions, it begs the question, “how are all these cyber-attacks possible and what can be done to stop them?” At the same time that society seeks greater privacy and security, consumers also want greater connectivity, cheaper higher-quality communication, and more convenience in conducting financial transactions.
To understand the performance limitations and vulnerabilities in modern communication networks, data storage, and connected devices, it is first important to understand how today's electronic, radio, and optical communication operates, transports, and stores data including files, email, text, audio, and video images.
Circuit-Switched Telephonic Network Operation
Electronic communication involves a variety of hardware components or devices connected into networks of wires, radio, microwave, or optical fiber links. Information is passed from one device to others by sending electrical or electromagnetic energy through this network, using various methods to embed or encode informational “content” into the data stream. Theoretically, the laws of physics set the maximum data rate of such networks at the speed of light, but in most cases practical limitations in data encoding, routing and traffic control, signal-to-noise quality, and overcoming electrical, magnetic and optical noise and unwanted parasitics disturb or inhibit information flow, limiting the communication network's capability to a fraction of its ideal performance.
Historically, electronic data communication was first achieved using dedicated “hardwired” electrical connections forming a communication “circuit” between or among two or more electrically connected devices. In the case of a telegraph, a mechanical switch was used to manually make and break a direct current (DC) electrical circuit, magnetizing a solenoid which in turned moved a metallic lever, causing the listening device or “relay” to click in the same pattern that the sender depressed the switch. The sender then used an agreed upon language, i.e. Morse code, to encode information into the pulse stream. The listener would likewise need to understand Morse code, a series of long and short pulses, called dots and dashes, to interpret the message.
Later, Alexander Graham Bell developed the first telephone using the concept of an “undulating current”, now referred to as alternating current (AC), in order to carry sound through an electrical connection. The telephone network comprised two magnetic transducers connected by an electrical circuit where each magnetic transducer comprised a movable diaphragm and coil, or “voice coil”, surrounded by a fixed permanent magnet enclosure. When speaking into the transducer, changes in air pressure from the sound causes the voice coil to move back and forth within the surrounding magnetic field inducing an AC current in the coil. At the listener's end, the time-varying current flowing in the voice coil induces an identical waveform and time-varying magnetic field opposing the surrounding magnetic field causing the voice coil to move back-and-forth in the same manner as the transducer capturing the sound. The resulting movement reproduces the sound in a manner similar to the device capturing the sound. In the modern vernacular, when the transducer is converting sound into electrical current, it is operating as a microphone and when the transducer is converting electrical current into sound it is operating as a speaker. Also, because the conducted electrical signal is analogous to the audio waveform carried as an elemental pressure wave in air, i.e. sound, today such electrical signals are referred to as analog signals or analog waveforms.
Since the transducer, as described, is used both for speaking and for listening, in conversation both parties have to know when to speak and when to listen. Similar to two tin cans connected by a string, in such a system, a caller cannot talk and listen at the same time. While such one-way operation, called “half-duplex” mode, may sound archaic, it is actually still commonly used in radio communication today in walkie-talkies, and in modern telephony by the name “push-to-talk” or PTT.
Later full-duplex (i.e., two-way or send-and-receive) telephones with separate microphones and speakers became commonplace, where the parties could speak and listen at the same time. But even today care is required in operating full-duplex telephonic communication to prevent feedback, a condition where a receiver's sound is picked up by its microphone and fed back to the caller resulting in confusing echoes and sometimes uncomfortable whistling sounds—problems especially plaguing long distance telephonic communication.
Early telegraphic and telephonic systems suffered from another issue, one of privacy. In these early incarnations of communication networks, everyone connected to the network hears everything communicated on the circuit, even if they don't want to. In rural telephone networks, these shared circuits were known as “party lines”. The phone system then rapidly evolved into multi-line networks where dedicated circuits connected a telephone branch office directly to individual customers' phones. Within the branch exchange office, a system operator would manually connect callers to one another through a switchboard using jumper cables, and also had the capability of connecting one branch to others to form the first “long distance” phone call services. Large banks of relays forming telephonic “switch” networks gradually replaced human operators, which was subsequently replaced by electronic switches comprising vacuum tubes.
After Bell Laboratories developed the transistor in the late 1950s, telephone switches and branch exchanges replaced their fragile and hot vacuum tubes with cool running solid-state devices comprising transistors and ultimately integrated circuits. As the network grew, phone numbers expanded in digits from a seven-digit prefix and private number to include area codes and ultimately country codes to handle international calls. Copper cables carrying voice calls soon covered the world and crossed the oceans. Despite the magnitude of the network, the principle of operation remained constant, that calls represented a direct electrical connection or “circuit” between the callers with voice carried by analog signals and the routing of the call determined by telephone switches. Such a telephonic system eventually came to be known as a “circuit-switched telephonic network”, or colloquially as the plain old telephone system or POTS. Circuit switched telephony reached its peak adoption in the 1980s and thereafter relentlessly has been replaced by “packet-switched telephony” described in the next section.
Evolving nearly in parallel to the telephone network, regular radio communication commenced with radio broadcasting in the 1920s. The broadcast was unidirectional, emanating from radio broadcast stations on specific government-licensed frequencies, and received by any number of radio receivers tuned to that specific broadcast frequency or radio station. The broadcasted signal carried an analog signal using either amplitude modulation (AM) or later by frequency modulation (FM) methods, each on dedicated portions of the licensed radio spectrum. In the United States, the Federal Communications Commission or FCC evolved in order to manage the assignment and regulation of such licensed bands. The broadcast concept was expanded into airing television programs using radio transmission, initially comprising black and white content, then in color. Later, television signals could also be carried to people's homes either by microwave satellite dishes or through coaxial cables. Because any listener tuned to the specific broadcast frequency can receive the broadcast, the term “multicast” is now used for such unidirectional multi-listener communication.
Concurrent with advent of radio broadcasting, the first two-way communication commenced with commercial and military ocean ships, and by the time of World War II, radios had evolved into walkie-talkie handheld radio transceivers, devices combining transmitters and receivers into single unit. Like telephony, early two-way radio transmission, operated in “simplex” mode, allowing only one radio to broadcast on a single radio channel while others listened. By combining transmitters and receivers on different frequencies, simultaneous transmission and reception became possible at each end of the radio link, enabling full-duplex mode communication between two parties.
To prevent overlapping transmissions from multiple parties, however, a protocol called half-duplex or push-to-talk is commonly used for channel management, letting anyone exclusively transmit on a specific channel on a first-come first serve basis. Industry standard radio types using analog modulation include amateur (ham or CB) radio, marine VHF radio, UNICOM for air traffic control, and FRS for personal walkie-talkie communication. In these two-way radio networks, radios send their data over specific frequency “channels” to a central radio tower, where the tower amplifies and repeats the signal, sending it on to the entire radio network. The number of available frequencies carrying information over the broadcast area sets the total bandwidth of the system and the number of users able to independently communicate on the radio network at one time.
In order to expand the total capacity of the radio network to handle a greater number of callers, the concept of a cellular network, one where a large area is broken into smaller pieces or radio “cells” was demonstrated in the 1970s and reached widespread adoption within a decade thereafter. The cellular concept was to limit the broadcast range of a radio tower to a smaller area, i.e. to a shorter distance, and therefore be able to reuse the same frequency bands to simultaneously handle different callers present in different cells. To do so, software was created to manage the handoff of a caller passing from one cell into an adjacent cell without “dropping” and suddenly disconnecting the call. Like POTS, two-way radio, as well as radio and television broadcasting, the initial cellular networks were analog in nature. To control call routing, the telephone number system was adopted to determine the proper wireless electrical connection. This choice also had the benefit that it seamlessly connected the new wireless cellular network to the “wire-line” plain old telephone system, providing interconnection and interoperability across the two systems.
Starting in the 1980s, telephonic and radio communication, along with radio and TV broadcasting began an inexorable migration from analog to digital communication methods and formats, driven by the need to reduce power consumption and increase battery life, to improve quality with better signal-to-noise performance, and to begin addressing the need to carry data and text with voice. Radio formats such as EDACS and TETRA emerged capable of concurrently enabling one-to-one, one-to-many, and many-to-many communication modes. Cellular communication also quickly migrated to digital formats such as GPRS, as did TV broadcasting.
By 2010, most countries had ceased, or were in the process of ceasing, all analog TV broadcasting. Unlike broadcast television, cable TV carriers were not required to switch to the digital format, maintaining a hybrid composite of analog and digital signals till as recently as 2013. Their ultimate migration to digital was motivated not by government standards, but by commercial reasons to expand the number of available channels of their network, to be able to deliver HD and UHD content, to offer more pay-per-view (PPV, also know an as “unicast”) programming, and to enable high-speed digital connectivity services to their customers.
While it is common to equate the migration of global communication networks from analog to digital formats with the advent of the Internet and more specifically with the widespread adoption of the Internet protocol (IP), the switch to digital formats preceded the commercial acceptance of IP in telephony, enabling, if not catalyzing, the universal migration of communication to IP and “packet-switched networks” (described in the next section).
The resulting evolution of circuit-switched telephony is schematically represented by FIG. 1, as a “public switched telephone network” or PSTN comprising an amalgamation of radio, cellular, PBX, and POTS connections and sub-networks, each comprising dissimilar technologies. The network includes PSTN gateways 1A and 1B connected by high bandwidth trunk lines 2 and, by example, connected through wire-line connections 4 to POTS gateway 3, cellular network 17, PBX 8 and two-way radio network 14. Each sub-network operates independently, driving like-kind devices. For example, POTS gateway 3, still common in rural communities, connects by twisted copper pair wire 7 to conventional analog phones 6 or alternatively to cordless phones 5. Cordless phones 5 typically employing the digital enhanced cordless telecommunications standard or DECT, its ultra-low power variant DECT-ULE or its precursor CT2, are all dedicated closed system RF systems, typically with carrier frequencies at 0.9, 1.9, 2.4, and 5.8 GHz. Pure DECT phones cannot access cellular networks directly despite being wireless RF based devices.
PBX 8 controls any number of devices used in company offices, including wired desktop phones 9, speaker phone 10 for conference calls, and private wireless network base station 11 linked by wireless connections 12 to cordless or wireless roaming phones 13. Wireless roaming phones 13 represent a business-centric enhancement to a conventional cordless phone, providing the phone access to corporate WiFi connections or in the case of Japan's personal handphone system or PHS, to access a public microcellular network located outside of the company in high traffic volume corridors and in the business districts of densely populated cities such as Shinjuku Tokyo. Bandwidth, transmission range, and battery life are extremely limited in PHS products.
The PSTN also connects to circuit-switched cellular networks 17 running AMPS, CDMA and GSM analog and digital protocols. Through cellular tower 18, circuit-switched cellular networks 17 connect using standardized cellular radio frequencies 28 to mobile devices such as cell phones 19A. In the case of GPRS networks, an enhancement to GSM, the circuit-switched cellular networks 17 may also connect to tablets 19B, concurrently delivering low speed data and voice. Two-way radio networks 14 such as TETRA and EDACS connect the PSTN to handheld radios 16A and larger in-dash and desktop radios 16B via high-power radio towers 15 and RF links 28. Such two-way radio networks, commonly used by police officers, ambulances, paramedics, fire departments, and even port authorities, are also referred to as professional communication networks and services, and target governments, municipalities, and emergency responders rather than consumers. (Note: As used herein, the terms “desktop,” “tablet” and “notebook” are used as a shorthand reference to the computers having those names.)
Unlike POTS gateway 3, cellular network 17, and PBX 8 which use traditional phone numbers to complete call routing, two-way radio network 14 uses dedicated RF radio channels (rather than phone numbers) to establish radio links between tower 15 and the mobile devices it serves. As such, professional radio communication services remain distinct and uniquely dissimilar from consumer cellular phone networks.
FIG. 1 graphically illustrates the flexibility of a PSTN network to interconnect sub-networks of diverse technologies. It is this very diversity that defines an intrinsic weakness of today's circuit switched networks—interoperability among sub-networks. Because the various sub-networks do not communicate with any common control protocol or language, and since each technology handles the transport of data and voice differently, the various systems are essentially incompatible except for their limited capability of placing a phone call through the PSTN backbone or trunk lines. For example, during the September 11 terrorist attack on the World Trade Center in New York City, many emergency responders from all over the USA flocked to Manhattan in an attempt to help fight the disaster, only to learn their radio communication system and walkie-talkies were incompatible with volunteers from other states and cities, making it impossible to manage a centralized command and control of the relief effort. With no standardization in their radio's communication protocol, their radios simply couldn't connect to one another.
Moreover with the direct electrical and RF connections of circuit switched telephonic networks, especially using analog or unsecured digital protocols, it is simple matter for a hacker with a RF scanner to find active communication channels and to sniff, sample, listen, or intercept the conversations occurring at the time. Because the PSTN forms a “continuously on” link or circuit between the parties communicating, there is plenty of time for a hacker to identify the connection and to “tap it”, either legally by governments operating under a federal court ordered wiretap, or criminally by cybercriminals or governments performing illegal, prohibited, or unsanctioned surveillance. The definition of legal and illegal spying and surveillance and any obligation for compliance for cooperation by a network operator varies dramatically by country and has been a heated point of contention among global companies such as Google, Yahoo, and Apple operating across numerous international boundaries. Communication networks and the Internet are global and know no borders or boundaries, yet laws governing such electronic information are local and subject to the jurisdictional authority of the government controlling domestic and international communication and commerce at the time.
Regardless of its legality or ethics, electronic snooping and surveillance today is commonplace, ranging from the monitoring of ubiquitous security cameras located at every street corner and overhead in every roadway or subway, to the sophisticated hacking and code cracking performed by various countries' national security divisions and agencies. While all networks are vulnerable, the antiquity and poor security provisions of PSTNs render them especially easy to hack. As such, a PSTN connected to even a secure modern network represents a weak point in the overall system, creating vulnerability for security violations and cybercrimes. Nonetheless, it will still take many years, if not decades, to retire the global PSTN network and completely replace it with IP-based packet-switched communication. Such packet-based networks (described here below), while more modern than PSTNs, are still unsecure and subject to security breaks, hacks, denial of service attacks, and privacy invasions.
Packet-Switched Communication Network Operation
If two tin cans connected by a string represent a metaphor for the operation of modern day circuit-switched telephony, then the post office represents the similar metaphor for packet-switch communication networks. In such an approach, text, data, voice, and video are converted into files and streams of digital data, and this data is then subsequently parsed into quantized “packets” of data to be delivered across the network. The delivery mechanism is based on electronic addresses that uniquely identify where the data packet is going to and where it is coming from. The format and communication protocol is also designed to include information as to the nature of the data contained in the packet including content specific to the program or application for which it will be used, and the hardware facilitating the physical links and electrical or radio connections carrying the packets.
Born in the 1960s, the concept of packet switching networks was created in the paranoiac era of the post Sputnik cold war. At that time, the US Department of Defense (DoD) expressed concerns that a spaced-based nuclear missile attack could wipe out the entire communication infrastructure of the United States, disabling its ability to respond to a USSR preemptive strike, and that the vulnerability to such an attack could actually provoke one. So the DoD sponsored the creation of a redundant communication system or grid-like “network”, one where the network's ability to deliver information between military installations could not be thwarted by destroying any specific data link or even numerous links within the network. The system, known as ARPANET, became the parent of the Internet and the proverbial Eve of modern digital communications.
Despite the creation of the packet-switched network, explosive growth of the Internet didn't occur until the 1990s when the first easy-to-use web browser Mosaic, the advent of hypertext defined web pages, the rapid adoption of the World Wide Web, and the widespread use of email, collectively drove global acceptance of the Internet platform. One of its fundamental tenets, lack of central control or the need for a central mainframe, propelled the Internet to ubiquity in part because no country or government could stop it (or even were fully aware of its global implications) and also because its user base comprised consumers using their newly acquired personal computers.
Another far reaching implication of the Internet's growth was the standardization of the Internet Protocol (IP) used to route data packets through the network. By the mid 1990s, Internet users realized that the same packet-switched network that carries data could also be used to carry voice, and soon thereafter “voice over Internet protocol” or VoIP was born. While the concept theoretically enabled anyone with Internet access to communicate by voice over the Internet for free, propagation delays across the network, i.e. latency, rendered voice quality poor and often unintelligible. While delay times have improved with the adoption of high-speed Ethernet links, high-speed WiFi connectivity, and 4G data to improve connection quality in the “last-mile”, the Internet itself was created to insure accurate delivery of data packets, but not to guarantee the time required to deliver the packets, i.e. the Internet was not created to operate as a real-time network.
So the dream of using the Internet to replace expensive long distance telecommunication carriers or “telco's” has remained largely unfulfilled despite the availability of “over-the-top” (OTT) providers such as Skype, Line, KakaoTalk, Viper, and others. OTT telephony suffers from poor quality of service (QoS) resulting from uncontrolled network latency, poor sound quality, dropped calls, echo, reverberation, feedback, choppy sound, and oftentimes the inability to even initiate a call. The poor performance of OTT communication is intrinsically not a weakness of the VoIP based protocol but of the network itself, one where OTT carriers have no control over the path which data takes or the delays the communication encounters. In essence, OTT carriers cannot insure performance or QoS because OTT communication operates as an Internet hitchhiker. Ironically, the companies able to best utilize VoIP based communications today are the long distance telephone carriers with dedicated low-latency hardware-based networks, the very telco's that have the least motivation to do so.
Aside from its intrinsic network redundancy, one of the greatest strengths of packet-switched communication is its ability to carry information from any source to any destination so long that the data is arranged in packets consistent with the Internet Protocol and provided that the communicating devices are connected and linked to the Internet. Internet Protocol manages the ability of the network to deliver the payload to its destination, without any care or concern for what information is being carried or what application will use it, avoiding altogether any need for customized software interfaces and expensive proprietary hardware. In many cases, even application related payloads have established predefined formats, e.g. for reading email, for opening a web page on a browser, for viewing a picture or video, for watching a flash file or reading a PDF document, etc.
Because its versatile file format avoids any reliance on proprietary or company-specific software, the Internet can be considered an “open source” communication platform, able to communicate with the widest range of devices ever connected, ranging from computers, to cell phones, from cars to home appliances. The most recent phrase describing this universal connectivity is the “Internet of Everything” or IoE.
FIG. 2 illustrates but a few examples of such Internet connected devices. As shown, a large array of computers including high-speed cloud servers 21A, 21B and 21C and cloud data storage 20 are interconnected by high bandwidth connections 23, typically optical fiber, among with countless other servers (not shown) to form Internet cloud 22. The cloud metaphor is appropriate because there is no well-defined boundary defining which servers are considered part of the cloud and which ones are not. On a daily and even on a minute-to-minute basis, servers come online while others may be taken offline for maintenance, all without any impact to the Internet's functionality or performance. This is the benefit of a truly redundant distributed system—there is no single point of control and therefore no single point of failure.
The cloud may be connected to the user or connected device through any variety of wire-line, WiFi or wireless links. As shown, cloud server 21A connects through a wired or fiber link 24 to wireless tower 25, to WiFi access point 26, or to wire-line distribution unit 27. These “last-mile” links in turn connect to any number of communication or connected devices. For example wireless tower 25 may connect by cellular radio 28 to smartphone 32, to tablet 33, or to connected car 31, and may be used to serve mobile users 40 including for example, pedestrians, drivers of personal vehicles, law enforcement officers, and professional drivers in the trucking and delivery industry. Wireless packet-switched capable telephonic communication comprises cellular protocols 3G including HSUPA and HSDPA, as well as 4G/LTE. LTE, or long-term-evolution, refers to the network standards to insure interoperability with a variety of cellular protocols including the ability to seamlessly hand-off phone calls from one cell to another cell even when the cells are operating with different protocols. Note: As a matter of definition, as used herein “last-mile” refers to the link between any type of client device, such as a tablet, desktop or cell phone, and a cloud server. Directionally, the term “first-mile” is sometimes also used to specify the link between the device originating the data transmission and the cloud server. In such cases the “last-mile” link is also the “first-mile” link.
For shorter distance communication, WiFi access point 26 connects by WiFi radio 29 to smartphone 32, tablet 33, notebook 35, desktop 36 or connected appliance 34 and may be used in localized wireless applications in homes, cafes, restaurants, and offices. WiFi comprises communication operating in accordance with IEEE defined standards for single-carrier frequency specifications 802.11a, 802.11b, 802.11g, 802.11n, and most recently for the dual frequency band 802.11ac format. WiFi security, based on a simple static login key, is primarily used to prevent unauthorized access of the connection, but is not intended to indefinitely secure data from sniffing or hacking.
Wire-line distribution unit 27 may connect by fiber, coaxial cable, or Ethernet 30A to notebook 35, desktop 36, phone 37, television 39 or by twisted pair copper wire 30B phone lines to point of sale terminal 38 serving immobile or fixed wire-line connected markets 42 including hotels, factories, offices, service centers, banks, and homes. The wire-line connection may comprise fiber or coaxial cable distribution to the home, office, factory, or business connected locally though a modem to convert high-speed data (HSD) connection into WiFi, Ethernet, or twisted pair copper wire. In remote areas where fiber or cable is not available, digital subscriber line (DSL) connections are still used but with dramatically compromised data rates and connection reliability. Altogether, counting access through wireless, WiFi, and wire-line connections, the number of Internet connected objects is projected to reach 20 billion globally by the year 2020.
In contrast to circuit switched networks that establish and maintain a direct connection between devices, packet-switched communications uses an address to “route” the packet through the Internet to its destination. As such, in packet-switched communication networks, there is no single dedicated circuit maintaining a connection between the communicating devices, nor does data traveling through the Internet travel in a single consistent path. Each packet must find its way through the maze of interconnected computers to reach its target destination.
FIG. 3 illustrates a hypothetical example of the routing of an IP packet from notebook 60 to desktop 61 using packet-switched network communication. In operation, the first data packet sent from notebook 60 to WiFi router 62A via wireless connection 63A is directed toward array of DNS servers 70, DNS being an acronym for domain name servers. The purpose of the array of DNS servers 70 is to convert the textual name or phone number of the destination device, in this case desktop 61, into an IP address. Prior to routing the packet, DNS root server 72 downloaded a large table of addresses into DNS secondary-server 71. When the query from notebook 60 arrives, DNS secondary-server 71 replies with the IP address of the destination, i.e. desktop 61. In the event that DNS secondary-server 71 does not know the address of the destination device, it can request the missing information from DNS root server 72. Ultimately, the IP address is passed from the array of DNS servers 70 back to the source address, i.e. to notebook 60.
Thereafter notebook 60 assembles its IP data packets and commences sending them sequentially to their destination, first through WiFi radio 63A to WiFi router 62A and then subsequently across the network of routers and servers acting as intermediary routers to its destination. For example, a series of dedicated routers as shown include 65A, 65B, and 65C and computer servers operating as routers include 66A through 66E, together form a router network operating either as nodes in the Internet or as a point of presence or POP, i.e. gateways of limited connectivity capable of accessing the Internet. While some routers or servers acting as a POP connect to the Internet through only a small number of adjacent devices, server 66A, as shown, is interconnected to numerous devices, and is sometimes referred to as a “super POP”. For clarity's sake it should be noted the term POP in network vernacular should not be confused with the application name POP, or plain old post office, used in email applications.
Each router, or server acting as a router, contains in its memory files a routing table identifying the IP addresses it can address and possibly also the addresses that the routers above it can address. These routing tables are automatically downloaded and installed in every router when it is first connected to the Internet and are generally not loaded as part of routing a packet through the network. When an IP packet comes into a router, POP or super POP, the router reads enough of the IP address, generally the higher most significant digits of the address, to know where to next direct the packet on its journey to its destination. For example a packet headed to Tokyo from New York may be routed first through Chicago then through servers in San Francisco, Los Angeles, or Seattle before continuing on to Tokyo.
In the example of FIG. 3, a packet from notebook 60 to WiFi router 62A is then forwarded to router 65A through route 64A, which although it has numerous choices, decides to forward the packet to super POP 66A through route 67A. Although super POP 66A also has many choices, it decides the best path at that particular moment is route 68 to server-router 66D, sending it on to local router 65C through route 67B, which in turn connects through route 64B to WiFi router and access point 62B communicating by WiFi radio 63B to desktop 61. So while the path traversed traveled from super POP 66A to server-router 66D to local router 65C, it could have just as likely had traveled from super POP 66A to router 65B to local router 65C, or from super POP 66A to server-router 66D to server-router 66E to local router 65C. And since the number of routers a packet traverses and the available data rate of each of the connections between routers varies by infrastructure and by network traffic and loading, there is no way to determine a priori which path is fastest or best.
Unlike in circuit-switched telephonic communication that establishes and maintains a direct connection between clients, with packet-switched data, there is no universal intelligence looking down at the Internet to decide which path is the best, optimum, or fastest path to route the packet nor is there any guarantee that two successive packets will even take the same route. As such, the packet “discovers” its way through the Internet based on the priorities of the companies operating the routers and servers the packet traverses. Each router, in essence, contains certain routing tables and routing algorithms that define its preferred routes based on the condition of the network. For example, a router's preferences may prioritize sending packets to other routers owned by the same company, balancing the traffic among connections to adjacent routers, finding the shortest delay to the next router, directing business to strategic business partners, or creating an express lane for VIP clients by skipping as many intermediate routers as possible. When a packet enters a router, there is no way to know whether the routing choices made by the specific POP were made in the best interest of the sender or of the network server operator.
So in some sense, the route a packet takes is a matter of timing and of luck. In the previous New York to Tokyo routing example, the routing and resulting QoS can vary substantially based on even a small perturbation in the path, i.e. in non-linear equations the so-called “butterfly effect”. Consider the case where the packet from New York goes through “router A” in Chicago and because of temporary high traffic in California, it is forwarded to Mexico City rather than to California. The Mexico City router then in turn forwards the IP packet to Singapore, from where it is finally sent to Tokyo. The very next packet sent is routed through Chicago “router B”, which because of low traffic at that moment directs the packet to San Francisco and then directly to Tokyo in only two hops. In such a case, the second packet may arrive in Tokyo before the first one routed through a longer more circuitous path. This example highlights the problematic issue of using the Internet for real-time communication such as live video streaming or VoIP, namely that the Internet is not designed to guarantee the time of delivery or to control network delays in performing the delivery. Latency can vary from 50 ms to over 1 second just depending on whether a packet is routed through only two servers or through fifteen.
The Internet's lack of routing control is problematic for real-time applications and is especially an issue of poor QoS for OTT carriers—carriers trying to provide Internet based telephony by catching a free ride on top of the Internet's infrastructure. Since the OTT carrier doesn't control the routing, they can't control the delay or network latency. Another issue with packet-switched communication, is that it is easy to hijack data without being detected. If a pirate intercepts a packet and identifies its source or destination IP address, they can use a variety of methods to intercept data from intervening routers and either sniff or redirect traffic through their own pirate network to spy on the conversation and even crack encrypted files.
The source and destination IP addresses and other important information used to route a packet (and also used by pirates to hack a packet) are specified as a string of digital data illustrated in FIG. 4. The IP packet contains digital information defining the physical connection between devices, the way the data is organized to link the devices together, the network routing of the packet, a means to insure the useful data (payload) was delivered accurately and what kind of data is in the payload, and then the payload data itself to be used by various application programs.
The IP packet is sent and received in sequence as a string of serial digital bits, shown in advancing time 86 from left to right and is organized in a specific manner called the Internet Protocol as established by various standards committees including the Internet Engineering Task Force or IETF among others. The standard insures that any IP packet following the prescribed protocol can communicate with and be understood by any connected device complying with the same IP standard. Insuring communication and interoperability of Internet connected devices and applications are hallmarks of the Internet, and represent a guiding principal of the Open Source Initiative or OSI, to prevent any company, government, or individual from taking control of the Internet or limiting its accessibility or its functionality.
The OSI model, an abstraction comprising seven layers of functionality, precisely prescribes the format of an IP packet and what each segment of the packet is used for. Each portion or “segment” of the IP packet corresponds to data applying to function of the particular OSI layer summarized in table 87 of FIG. 4. The roles of the seven OSI layers are as follows:                Layer 1, the physical or PHY layer, comprises hardware specific information articulating the physical nature of communication as electrical, RF and optical signals and the way those signals can be converted into bits for use in the communicating system. Converting a specific communication medium such as WiFi radio, Ethernet, serial ports, optical fiber, 3G or 4G cellular radio, DSL on twisted pair copper wire, USB, Bluetooth, cable or satellite TV, or digital broadcasts of audio, video, or multimedia content into a bit stream is the task of the PHY layer. In the IP packet, preamble 80, represents Layer 1 data, and is used to synchronize the entire data packet or “frame”, to the hardware transceiving it.        Layer 2, the data link layer, comprising bits arranged as frames, defines the rules and means by which bit streams delivered from PHY Layer 1 are converted into interpretable data. For example, WiFi radio based bit streams may comply with any number of IEEE defined standards including 802.11a, b, g, n, and ac; 3G radio communication may be modulated using high-speed packet access methods HSDPA or HSUPA; modulated light in an optical fiber or electrical signals on a coaxial cable can be decoded into data in accordance with the DOCSIS 3 standard; etc. In the IP packet, Layer 2 data encapsulates the remainder of the packet, segments 82, 83, and 84, with a leading “data link header” 81, and a trailing “data link trailer” 85, together defining when the encapsulated payload being delivered starts and stops, as well as to insure nothing was lost in the transmission process. One key element of Layer 2 data is the MAC or media access address, used to direct the data traffic to and from specific Ethernet addresses, RF links, or hardware specific transceiver links.        Layer 3, the network or Internet layer, comprises packets called “datagrams” containing Internet Protocol (IP) information used for routing an IP packet including whether the packet contains IPv4 or IPv6 data and the corresponding source and destination IP addresses as well as information regarding the nature of the payload contained within the packet, i.e. whether the type of transport protocol used comprises Transmission Control Protocol (TCP), User Datagram Protocol (UDP) or something else. Layer 3 also includes a function to prevent immortals—IP packets that are never delivered but never die. A specific type of Layer 3 packet, ICMP is used to diagnose the condition of a network, including the well-known “ping” function. In the IP packet, Layer 3 comprises “IP header” 82 and encapsulates its payload comprising transport and upper layer segments 83 and 84.        Layer 4, the transport layer, comprises segments of data defining the nature of the connection between communicating devices, where UDP defines a minimal description of the payload for connectionless communication, namely how large is the payload, were any bits lost, and what application service (port) will use the delivered data. UDP is considered connectionless because it does not confirm delivery of the payload, relying instead on the application to check for errors or lost data. UDP is typically used for time sensitive communication such as broadcasting, multicasting, and streaming where resending a packet is not an option. In contrast, TCP insures a virtual connection by confirming the packet and payload are reliably delivered before the next packet is sent, and resends dropped packets. TCP also checks the data integrity of the delivered packets using a checksum, and includes provisions for reassembling out-of-sequence packets in their original order. Both TCP and UDP define the source and destination ports, a description of an upper layer service or application, e.g. a web server or an email server, concerned with the information contained within the Layer 4 payload. In the IP packet, Layer 4 comprises the TCP/UDP header 83 and encapsulates the data/payload 84 comprising content for use by the upper OSI Layers 5, 6 and 7.        Layers 5, 6 and 7, the upper or application layers describe the content delivered by the Internet as data/payload 84. Layer 7, the “application” layer, represents the highest level in the OSI model and relies on the six underlying OSI layers to support both open source and proprietary application software. Commonly used Level 7 applications include email using SMTP, POP or IMAP, web browsing using HTTP (Chrome, Safari, Explorer, Firefox), file transfers using FTP, and terminal emulation using Telnet. Proprietary applications include the Microsoft Office suite of products (Word, Excel, PowerPoint), Adobe illustrator and Photoshop; Oracle and SAP database applications; Quicken, Microsoft Money, and QuickBooks financial software; plus audio and video players (such as iTunes, QuickTime, Real Media Player, Window Media Player, Flash), as well as document readers such Adobe Acrobat Reader and Apple Preview. Level 7 applications generally also utilize embedded objects defined syntactically by Level 6, the “presentation” layer, comprising text, graphics & pictures, sound and video, document presentations such as XML or PDF, along with security functions such as encryption. Level 5, the “session” layer, establishes cross-application connectivity, such as importing one object into another program file, and control initiating and terminating a session.        
As described, the OSI seven-layer model defines the functions of each layer, and the corresponding IP packet encapsulates data relating to each layer, one inside the other in a manner analogous to the babushka or Russian nesting doll, the wooden dolls with one doll inside another inside another and so on . . . . The outer packet or Layer 1 PHY defines the entire IP frame containing information relating to all the higher levels. Within this PHY data, the Layer 2 data frame describes the data link layer and contains the Layer 3 network datagram. This datagram in turn describes the Internet layer as its payload, with Layer 4 segment data describing the transport layer. The transport layer carries upper layer data as a payload including Layer 5, 6 and 7 content. The seven-layer encapsulation is also sometimes referred to by the mnemonic “all people seem to need data processing” ordering the seven OSI layers successively from top to bottom as application, presentation, session, transport, network, data-link, and physical layers.
While the lower physical and link layers are hardware specific, the middle OSI layers encapsulated within the IP packet describing the network and transport information are completely agnostic to the hardware used to communicate and deliver the IP packet. Moreover, the upper layers encapsulated as the payload of the transport layer are specific only to the applications to which they apply and operate completely independently from how the packet was routed or delivered through the Internet. This partitioning enables each layer to essentially be supervised independently, supporting a myriad of possible combinations of technologies and users without the need for managerial approval of packet formatting or checking the viability of the packet's payload. Incomplete or improper IP packets are simply discarded. In this manner, packet-switched networks are able to route, transport and deliver diverse application related information over disparate communication mediums in a coherent fashion between and among any internet connected devices or objects.
In conclusion, switched circuit networks require a single direct connection between two or more parties communicating (similar to the plain old telephone system of a century ago), while packet switches network communication involves a fragmenting documents, sound, video, and text into multiple packets, deliver those packets through multiple network paths (similar to the post office using best efforts to provide delivery in an accurate and timely manner), then reassembling the original content and confirming nothing was lost along the way. A comparison between circuit-switched PSTNs versus packet-switched VoIP is summarized in the following table:
NetworkPSTVInternetTechnologyCircuit-switchedPacket-switchedConnectionDedicated electricalEach packet routed overconnectionInternetData deliveryReal-time (circuit)Best effort (packet)SignalAnalog or digitalDigital, IP, VoIPContentVoiceVoice, text, data, videoData RateLowHighError CheckingNone, or minimalExtensiveEffect of BrokenBroken or cropped callCall reroutedLineEffect of PowerNetwork delivers powerBattery backup requiredFailureIt should be mentioned here that while PSTNs operate using real-time electrical circuit connections, packet-switched networks deliver content using “best effort” methods to find a way to deliver a packet and payload, not unlike the post office using different trucks and letter carriers to eventually deliver the mail, even if its late to arrive. To better understand the method by which packet-switched networks accomplish this goal, it is necessary to look deeper into the function and role of each layer in the seven-layer OSI model for networks.
OSI Layer 1—Physical (PHY) Layer
The physical layer described by OSI Layer 1 addresses operation of hardware used to facilitate communication. While it is the most basic layer, describing only electrical, radio, and optical transmission, it is also the most diverse, with each detailed description specific to a particular piece of hardware. Broadly viewed, communication hardware can be broken into two types—high-bandwidth communication used for high-traffic-volume pipes connecting servers forming the backbone of the Internet, i.e. the “cloud”, and lower bandwidth connections completing local communication between devices or connecting the “last-mile” link from the cloud to consumers, businesses, and machines.
FIG. 5A illustrates by example, high-bandwidth communication between POP-servers 21A and 21B connected via microwaves towers 98, optical fibers 91, and microwave satellites 93. Microwave communication requires direct line-of-sight links between microwave towers 96A and 96B. The towers are connected as shown to POP-servers 21A and 21B by wire-line connections 97A and 97B. Similarly, satellite communication requires microwave uplinks and downlinks 95A and 95B between satellite 93 and satellite dishes 92A and 92B connected to POP-servers 21A and 21B. As in the prior example, wire-line connections 94A and 94B connect the servers 21A and 21B to the satellite dishes 92A and 92B. Servers 21A and 21B can also connect directly using a high-bandwidth optical connection 90 carried on optical fibers 91. While terrestrial and undersea cables previously comprised large multi-conductor conduits of copper wire, the limited bandwidth and high cost of copper has accelerated a global migration to optical fiber.
FIG. 5B illustrates various examples of the “last-mile” link from the cloud 22 comprising servers 21B and 21C and high bandwidth connection 23, and a large variety of computers, phones, radios, and connected “things”. As shown, wire-line connections may comprise optical fiber 91 and coaxial cable 105, and to diminishing degree twisted pair copper wire. Wireless connections may be transmitted by a number of means including cellular radio tower 18, two-way radio tower 15, WiFi access point 26, and satellite 93.
As some examples, server 21C acting as a cloud gateway connects by fiber connection 24 to LTE base station 17 driving radio tower 18 for cellular communication 28 connecting to cell phone 32, tablet 33, or notebook 35. Server 21C also connects to public WiFi router 100 transmitting WiFi 29 to cell phone 32, tablet 33, or notebook 35.
Server 21C connects to cable modem transmission system CMTS 101 which in turn connects by coaxial cable 105 to set top box (TV STB) 102 driving TV 39 using HDMI 107 and to cable modem 103. Cable modem 103 generates two different types of outputs—voice and high speed digital (HSD). The voice output may be used with cordless phone 5 while the HSD drives desktop 36 as well as tablet 33, home appliance 34, and cell phone (not shown) via WiFi signal 29 generated by home WiFi access point 26. Cable modem 103 may in some instances produce HSD as Ethernet 104 wired to desktop 36. Alternatively TV STB 102 can receive its signals via satellite link 95 comprising satellite dishes 92A and 92B with satellite 93. Collectively TV STB 102 and the various outputs of cable modem 103 create home communication network 100.
Server 21C may also connect to professional communication devices via two-way radio 20 signals driving radios 16A and 16B from TETRA or EDACS base station 14 and radio tower 15 or through corporate PBX 8 driving desktop phones 9. Because most two-way radio and private branch exchange systems are not based on packet-switched techniques and do not use public telephone numbers for call routing, information is lost whenever data is sent between server 21C and PBX 8 or radio base station 14. The same is true of PSTN-bridge 3 connected to POTS 6, since POTS is not designed to handle a mixture of voice and data.
The role of the physical or PHY layer varies in systems depending on whether the communication is one-to-one, one-to-many, or many-to-many. In one-to-one communication, illustrated conceptually in FIG. 6A, two and only two electronic devices 140A and 140B communicate directly with one another using a dedicated electrical, optical or RF connection to realize a point-to-point connection. By using a prescribed and predefined communication protocol installed in interfaces 143A and 143B, a hardware only interface can be established between devices to perform communication. More specifically, data generated from electronic circuitry 141A is transferred to physical layer communication interface 143A connected via electrical, RF or optical signals 144 to an identically constructed physical communication interface 143B. The data received is processed by electronic circuitry 141B and in some cases a response is returned to interface 143A in device 140A.
Since in one-to-one communication there are only two devices, there is no need to include software to direct traffic, identify devices, or to decide which devices respond to instructions. Examples of such dedicated point-to-point communication includes serial communication buses like RS232 originally used to connect printers to desktop computers, and the simple serial control or S2C bus (U.S. Pat. No. 7,921,320) used to control the LED backlight brightness in cell phone displays.
Dedicated point-to-point communication offers several advantages. Firstly, it is easy to implement and if desired, can be performed entirely in hardware, even within a single integrated circuit, with no need for a central processing unit (CPU) core. Alternatively, the interface can be implemented in firmware, i.e. hardware specific software, requiring only minimal CPU processing power to execute a limited instruction set for managing data exchange. Secondly, without the need for traffic management, such interfaces can operate at very high data rates. Lastly, it offers various advantages in security because no other device is sharing the line or able to “listen” to its communication. In this case, the interface can be implemented to “validate” or “authenticate” the identity of any device at the time the device is plugged into its port, and to disable the port if the connection is interrupted even for an instant. Devices that are not authenticated are ignored and the port remains shut down until a valid device replaces the offending device.
The relationship between two devices in one-to-one communication can be managed in two fundamentally different ways. In “peer-to-peer” communication, each device has equal decision making authority and control of the communication exchange is generally prioritized on a first-come first-served basis. Alternatively, in a “master-slave” configuration, the master device takes control of the decision making process and the slave has to make requests and receive approval from the master device to initiate any action.
A one-to-many PHY-only interface is illustrated in FIG. 6B where three or more devices 140A, 140B and 140C are connected together by common communication line, shown as a data “bus” 144. Each device includes electronic circuitry 141A, 141B or 141C connected by corresponding data lines 142A, 142B, and 142C to physical interfaces 143A, 143B, and 143C. In this configuration, data communicated from any one device is passed to all the other devices connected to the bus or communication medium. For example, if device 140C sends data on to bus 144, both devices 140A and 140B will receive the communication, if device 140B sends data on to bus 144, devices 140A and 140C will receive the communication, and so on. Communication where everyone listens is known as “broadcasting”, a means similar to broadcast TV stations transmitting content to many TV receivers.
In the modern vernacular, one-to-many broadcasting is known as multicasting. Layer 1 PHY-only one-to-many broadcasting is intrinsically not a secure form of communication because the broadcaster has no idea who is listening. In World War II, broadcasting was used to send information to troops, fleets, and submarines over insecure channels using “encryption” designed to prevent a listener's ability to interpret a message by using a secret algorithm to scramble the information. If an unauthorized listener is able to “break the code”, security is severely compromised not only because the interloper can intercept confidential communiqués, but because the broadcaster doesn't know they are able to. So in Layer-1 PHY-only implementations, one-to-many communication suffers several major disadvantages, namely:                Any device able to connect to the communication bus or medium is able to receive or monitor the content of the communication, even if they represent an unintended recipient or a security threat;        The device sending the information, i.e. the “transmitting device” has no idea what other devices are listening;        The transmitting device cannot confirm if the sent data was received correctly and accurately; and        Transmission of communication traffic to unintended or disinterested recipients wastes valuable communication channel bandwidth by forcing recipients to receive messages they don't want, need, or care about.        
The problem of multi-device connectivity using a PHY-only implementation is further exacerbated in one-to-many and especially in many-to-many device communication because of competition for channel bandwidth and in determining prioritization of which device is authorized to transmit. To prevent data collisions, cases where multiple devices try to broadcast simultaneously, PHY-only communication must adopt a predetermined hierarchy of priority rights for each device sharing the communication channel or medium. In a central processing unit or CPU design, several methods are combined to manage communication within the CPU and between the CPU and memory. These concepts include the principle of an “address bus” used to identify what device or memory location the CPU is attempting to communicate with, a “data bus” used to carry the data separately from the address, and one or more “interrupt’ lines used to identify when some task must be performed.
In this manner a CPU can react dynamically to required tasks, allowing the CPU to communicate with and support multiple peripherals on an as needed basis, absolving the CPU of any responsibility to constantly poll or solicit status information from its connected peripherals. In operation, whenever a peripheral component needs attention, it generates an “interrupt” signal, i.e. a request for service by electrically shorting a shared connection, the interrupt line, to ground, momentarily. After generating the interrupt, the peripheral waits for the CPU to ask the device what it needs in a manner analogous to the “call attendant” light in an airplane. Since the interrupt service routine generally allows the CPU to finish what it is doing before servicing the interrupting device, such a method is not good for dealing with priority treatment of real-time events requiring immediate attention.
To augment the capability of interrupt-based communication for real-time applications, CPU architecture introduced the concept of a priority line called a “non-maskable interrupt” to force the CPU to drop whatever it's doing and immediately service a high-priority or real-time event, e.g. a message coming into a router or a call coming into a cell phone. Like VIP treatment for a small number of passengers in a first class cabin, while such methods work for a limited number of devices connected to central communication or master device, the approach does not scale to handle a large number of users nor does it support peer-distributed systems where there is no centralized control.
Expanding on the CPU's principle of a device address, OSI Layers 2, 3, and 4 likewise all utilize device “identity” as a key component in directing communication traffic among devices. For example, Layer 2, the data link layer, identifies input and output connections using media access or MAC addresses, Layer 3, the network layer, routes packets through the network using IP addresses, and Layer 4, the transport layer, employs port addresses to identify what kind of data is being transported, e.g. email, web pages, files, etc. In a CPU, the address bus, data busses, and interrupt lines comprise separate lines, also known as a “parallel” port connection. While parallel ports are effective in maximizing data rates for interconnections within a single chip or for short distance high-speed connections on a computer motherboard, the large number-of-lines are expensive and impractical for longer distance communication.
Instead, serial communication, delivering information in packets transmitted over time, forms the prevailing method for electronic communication today. The IP packet shown previously in FIG. 4 contains all the necessary routing and communication data to deliver content, payload 84, between a sender and a recipient over a communication network, either locally or globally. Each IP packet contains requisite addresses including the data link layer information in data link header 81, the IP address info in IP header 82, and the port address information in TCP/UDP header 83, except they are arranged sequentially and received in order over time 86 instead of being sent simultaneously in parallel.
OSI Layer 2—Data Link Layer
To overcome the aforementioned problems in controlling information flow in PHY-only multi-device communication, the seven-layer OSI model includes the abstraction of a Layer 2 or “data link” layer. In essence the data link layer performs the duties of a traffic cop, directing the flow of data, and deciding which data on a shared data bus or shared medium is intended for a particular device. The role of the Layer 2 data link layer is exemplified in FIG. 7A where devices 145A, 145B and 145C share a common connection or “bus” 144, but each have their own data link layer communication interface 146A, 146B, and 146C supporting only one data link communication 147 at a time. So even though many devices are connected together at the physical layer, i.e. sharing a common hardware bus, on the data link layer only two of them are connected to one another at one time. Specifically, should device 145A wish to communicate exclusively with device 145B, i.e. the data link 147 occurs only between device A and device B even though device C is connected at a physical level to the other two.
By introducing Layer 2 related hardware or software as a data link layer interface in all three devices, i.e. data link interfaces 146A, 146B, and 146C, data sent across data bus 144 can be inspected and filtered to limit communication between the sender and the intended recipient devices. The other bus connected devices, while they still receive the same data, ignore it and take no action as a result of receiving the incoming message. Such a protocol is used by the serial peripheral interface or SPI bus, where multiple devices are connected to a common “data bus”, the bus carrying data, but only respond if their particular address appears on the address lines. In this way, the SPI bus is used to control LEDs in LCD TV backlight systems, allowing independent control of each string of LEDs in the TV display to facilitate brightness control and “local dimming” for high contrast HD and UHD video content. The same concept is also used in computer memory bus architectures to select which bank of memory is being read or written to, in PCI Express expansion slots in computers, and in the CAN bus used in automobiles.
Likewise, the concept of the data link layer is used in Bluetooth wireless communication of wireless headphones, speakers, video cameras, etc., where only paired devices, devices previously authorized or “bonded”, can communicate with one another. In the Bluetooth protocol, the bonding process, steps that establish the data link, occurs independently from and prior to any actual data communication. Once the bond is complete, the two bonded devices can, at least theoretically, communicate undisturbed by other Bluetooth conversations transpiring concurrently among other parties. In reality, Bluetooth communication bus 144 represents a shared radio frequency channel of limited bandwidth and data capacity. Defined by the Bluetooth standards committee and assigned by mutual consent of the FCC and their foreign equivalent agencies, every Bluetooth compliant device broadcasts on the same shared radio frequency band or “channel”. Each simultaneous broadcast consumes a portion of the channel's available bandwidth and data rate. Despite the overlapping transmissions, the data does not collide so long that the channel doesn't become overly populated. To minimize the risk of data collisions and to circumvent challenges of channel overpopulation and availability, Bluetooth communication is intentionally limited to very short distances and extremely low data rates.
In the bus architecture described previously, the physical connection is a common line, electrical connection, or medium connected directly to or shared among multiple devices. In a bus architecture, any device connected to the bus consumes some energy from the bus in order to communicate and degrades the bus performance, even if but by a small amount. This phenomenon, incrementally degrading bus performance with each additional device connection is known as “loading”. In the event the loading it too great, the bus no longer is able to operate within its specified performance limits, and communication will fail either by becoming too slow or by exhibiting a high error rate. The maximum number of devices that may be connected to a line or bus before it fails to meet its specified performance rating is referred to as the “fan out” of the bus or connection. To alleviate the risk of loading, the bus can be broken into numerous segments, each operating in a point-to-point manner, where the signal integrity is boosted or buffered in magnitude before sending it on to other devices. From the point of view of connectivity, the data or signal being communicated, the data link, is the same as in bus architectures, but the electrical, optical, or radio signal strength, the PHY data, is consistently maintained at a constant level independent of the number of connected devices.
One such connected network comprising point-to-point connections with boosted signals is the hub architecture shown in FIG. 7B, where devices A, B and C shown in simplified form by communication stacks 146A, 146B, and 146C respectively are used to connect to one other through a signal boosting bus or “hub” 148. The hub faithfully reproduces its incoming signal content without modifying, filtering, or interpreting the data stream, then outputs a boosted version of the same signal on lines connected to other devices.
Each device connects to hub 148 through its own dedicated communication line, specifically, 151A, 151B, and 151C connecting peripheral device communication stack 146A to hub communication stack 150A, device communication stack 146B to hub communication stack 150B, and device communication stack 146C to hub communication stack 150C, respectively. In turn, the communication stacks within hub 148 connect to a high-speed internal bus 149 to interconnect the hub-connected devices. Although the PHY layer data all travels through hub 148 and internal data bus 149, the Layer 2 data link layer communication 147 operates as though only communication stack 146A in device A is talking exclusively to communication stack 146B in device B, and not to device C. The PHY-layer data is however delivered to every device connected to the hub and with identical propagation delays. Also, since there is no way to know which device is broadcasting and which ones are listening, the hub device must support multidirectional communication. Hubs for Ethernet and Thunderbolt operate in such a manner. In other hubs, for example for the “universal serial bus” or USB, the hub has one input and a number of outputs, typically to two to six, using different shaped USB connectors to distinguish the two types and the default direction of data flow.
Another method to interconnect devices to provide signal boosting is the “daisy chain” architecture shown FIG. 7C where Devices A, B and C are connected in successive fashion with Device A communication stack 152A connected to Device B communication stack 152B through physical bus connection 151A, and with Device B communication stack 152B connected to Device C communication stack 152C through physical bus connection 151B, and with Device C communication stack 152C connected through physical bus connection 152C to the next device connected in the daisy chain, if any. To clarify the fact that the physical connection, and literally the mechanical connector itself in wire-line systems, are distinct, communication stacks 152A, 152B and 152C each contain two Layer 1 physical interfaces but only one Layer 2 data link layer.
In daisy chain operation PHY data flows from the data link layer of communication stack 152A into its PHY interface, then through a cable constituting physical bus connection 151A into the PHY interface of communication stack 152B, up into its data link layer, down into the second PHY interface of Device B, through a cable constituting physical bus connection 151B, into the PHY interface of communication stack 152C, and up into its data link layer. So while the physical signal meanders its way through all three devices shown, the data link layer connects only communication stack 152A of Device A to communication stack 152C of Device C, where Device B ignores the data that it is carrying. Examples of network communication based on daisy chain architecture include Firewire, i.e. IEEE1394, musical digital interface or MIDI, and the now obsolete token ring used by early Window-based personal computers. A positive feature of daisy-chaining devices is that there is no need for an extra device, i.e. the hub, or all the network wiring connecting to it. One negative attribute of the daisy chain architecture is that the propagation delay between devices increases with each device the data passes through, causing inconsistent performance especially in high-speed real-time applications.
In all three examples, the bus architecture, the hub architecture, and the daisy-chain architecture, PHY-layer data is sent to every network-connected device, even if it is not the intended recipient. The device itself performs packet identification and filtering, where it compares the address of the data it receives to its own address, typically pre-programmed as a fixed permanent address using nonvolatile memory, micromechanical switches, or wire jumpers in the device or in one of its ICs. When a specific device recognizes a data packet containing a destination that matches its address, it responds, otherwise it ignores the packet altogether. The device address in the packet must comply with the communication protocol being used, whether MIDI, USB, IEEE1394, Thunderbolt, etc. In the case where the packet uses Internet Protocol as its data link layer, the address is given a specific name called the “media access” or MAC address, to be described later in this disclosure.
One key attribute of the bus, hub, and daisy chain architectures shown is that the data being broadcast on the PHY layer, i.e. the electrical, RF, or optical signals are sent to every connected device. This method consumes valuable network bandwidth by unnecessarily sending packets to devices that do not need them and for which they are not intended. As Ethernet emerged as the prevailing standard for local area network or LAN connectivity, this wasted network bandwidth was identified and ultimately eliminated by the introduction of a network “switch”.
In LAN implementations like that shown in the three-device example of FIG. 8A, a LAN switch 159 is inserted in between the communicating PHY layer of communication interfaces 146A, 146B, and 146C contained within devices 145A, 145B, and 145C. In contrast to the bus connection shown previously in FIG. 7A, having a single shared data bus 144 interconnecting the devices, the addition of LAN switch 159 breaks the bus into three discrete point-to-point connections, namely PHY connection 148A between device 145A and switch 159, PHY connection 148B between device 145B and switch 159, PHY connection 148C between device 145C and switch 159, and so on. As shown, each physical connection occurs point-to-point, between only two devices, with intermediate devices responsible to pass the serial data stream along to its adjacent connected devices.
The principle can scale to any number of devices, and the operation of the LAN switch 159 can be unidirectional or bidirectional and half-duplex or full duplex. In operation, to establish data link 147 exclusively between communication interfaces 146A and 146B of network connected devices 145A and 145B, LAN switch 159 establishes a physical layer connection only between the two communicating devices 145A and 145B. As such, PHY layer connection is established exclusively between the two communicating devices, namely device 145A and device 145B, but with no other network connected devices, e.g. device 145C. One benefit of using LAN switch 159 is that device 145C is not bothered to listen to the chatter of other communication occurring in the network and its communication interface 146C remains free until called upon.
A second benefit of using LAN switch 159, is that the signal coming into LAN switch 159 is boosted before being sent onward to an adjacent network connected device, so that no loading, signal degradation, or speed impact results from connecting more devices to LAN switch 159. So the fan out of LAN switch 159 is essentially unlimited, determined only by the number of connections in the LAN switch.
A schematic representation of LAN switch 159 is illustrated in FIG. 8B, comprising lines 160A through 160F. At the intersection point in every combination of two lines is a LAN crosspoint 161, representing a bidirectional switch and amplifier. For example, crosspoint AB interconnects B line 160B to A line 160A, crosspoint BE interconnects B line 160B to E line 160E, crosspoint CE interconnects C line 160C to E line 160E, and so on. In normal communication, each line is connected to at most only one other line to create an interconnection pair. Once a device is located, a routing table of Layer 2 MAC addresses (not shown) is maintained with LAN switch to keep track of which devices are connected and to what connector. The table essentially maps the MAC address to their physical connection to the LAN switch, establishing a precise relationship between Layer 2, the data link layer, and Layer 1, the PHY layer. The table is dynamic, so if one device is unplugged and another is plugged in, the MAC address routing table is automatically updated in LAN switch 159.
In special cases where a broadcast of data is sent to every device in the network, for example in startup where one device may be looking for another but hasn't identified its location on the LAN switch, then every device may be interconnected simultaneously with only one source broadcasting the data and the rest of the devices receiving it. Because of the built-in amplifiers, even in the broadcast mode, every signal is buffered and no speed or signal integrity degradation results.
The third and most important advantage of using LAN switch 159 is it dramatically increases the bandwidth of the overall network, allowing multiple conversations to occur simultaneously and independently between pairs of devices as illustrated in FIG. 8C. In the example, devices 145A, 145B, 145C and 145F are connected to LAN switch 159 with physical lines 160A, 160B, 160C, and 160F, respectively. Through the data link Layer 2, devices 160A and 160B establish a dedicated communication channel AB through pairing 164 while concurrently devices 160C and 160F establish a dedicated communication channel CF through pairing 165. In the communication of device 145A to 145B, data is sent along line 160A through “on” LAN crosspoint 162 and through line 160B to device 145B. Simultaneously, in the communication of device 145C to device 145F, data is sent along line 160C through on LAN crosspoint 163 and through line 160F to device 145F. All other LAN crosspoint connections remain off even if devices are plugged in to the other lines.
In this manner two independent communication channels, or “conversations” can occur at full data rates in AB pairing 164 and CF pairing 165 without waiting to share a common data bus. So in the example shown the bandwidth of the network connecting four devices is doubled by using LAN switch 159 and a LAN architecture compared to using a bus, hub, or daisy chain network architecture. In a LAN switch with “n” lines and connections, the maximum number of simultaneous conversations is then “n/2,” compared to the alternative networks using serial connections that are only able to support one single conversation at a time.
It should be noted that when two devices are connected, e.g. devices 145A and 145B in AB pairing 164, the communication using a single line is only half duplex because only one device can “talk” at one time while the other listens. If full duplex communication is required, the number of lines and crosspoint connections in LAN switch 159 must be doubled, with device 145A having its output connected to the input of 145B and, in parallel, with device 145B having its output connected to the input of 145A. So a device A to device B full duplex conversation would simultaneously involve two pairings—an AB pairing where device A sends data to device B and a BA pairing where device B sends data to device A, each on different lines and through unique crosspoint connections.
While the illustration of FIG. 8C may imply that lines 160A through 160F represent wires and plugs of an electrical connector, the description is equally valid even if the lines represent radio or optical communication. In radio communication, each line may for example represent a unique frequency band, or “subchannel” used to carry one line's data, and where 20 radio frequencies, bands, or subchannels may be used to carry up to 10 different conversations simultaneously and independently. In optical communication each line, may represent a different wavelength of light or a unique modulation scheme. The radio or optical interface converts the electromagnetic communication back into electrical signals within the communicating devices. So in this manner, a LAN switch may be used to enhance the bandwidth of any network configured communication medium.
While numerous protocols and standards have emerged to direct traffic and transport data in packet-switched networks, several widespread standards have emerged that warrant greater explanation. Either widely adopted or evolving from existing aging standards, these communication protocols and their associated hardware, discussed here below, include:
Ethernet (IEEE802.3) for electrical based communication networks
WiFi (802.11) for near range radio communication networks
4G/LTE for long range radio communication networks
DOCSIS3 for cable and fiber based communication networks
Ethernet (IEEE802.3)—
When electrical connections are used to form a LAN in modern networking, most proprietary networks have been replaced by a globally accepted standard IEEE802.3 known as Ethernet. The Ethernet specification prescribes the data packet used by the data link Layer 2 as well as defining the electrical connections, voltages, data rates, communication speeds and even the physical connector plugs and sockets. So Ethernet is, as a standard, both a data link Layer 2 and PHY Layer 1 specification. Specification of the content of an Ethernet data packet, either as a Layer 1 Ethernet packet 188 or a Layer 2 Ethernet packet 189, is illustrated graphically as serial data in FIG. 9 represented from left to right in the direction of increasing time 86. Associated table 190 describes the function of each block or sub-packets in the Ethernet packet.
Layer 2 Ethernet packet 189 as shown contains destination MAC address 182, source MAC address 183, an optional virtual LAN block 184, Ethertype block 185, frame check 186, and payload 187, representing the actual data being carried by the Ethernet packet. To insure speed specifications, the size of the Layer 2 Ethernet packet may, according to the Ethernet specification, range from 64 B to 1,518 B in order to carry a payload from 42 B to 1500 B. In the event the optional VLAN block 184 is included in the packet, the packet length increases by 4 B with a maximum Layer 2 Ethernet length of 1,522 B.
Layer 1 Ethernet packet 188 combines the entire contents of Layer 2 Ethernet packet 189 with a header comprising SFD 181 for synchronization and preamble 180 as a data frame header. The maximum length of the Layer 1 Ethernet packet 188 is then 8 B longer then the Layer 2 Ethernet packet 189, ranging from a minimum size of 72 B to a maximum length of 1,526 B without the VLAN option or 1,530 B with the VLAN block 184 included.
In operation, the purpose of preamble 180 as a Layer 1 data frame header subfield is to assist the hardware in initially identifying a device is trying to send data. Start frame header SFD 181, another Layer 1 artifact, is used for synchronizing the incoming packet data to the timing clocks to enable reading the data reliably. After these two blocks of Layer 1 Ethernet packet 188 are received, the Layer 2 Ethernet packet 189 commences with the destination MAC address 182 and source MAC address 183 describing what LAN-connected device the data is going to and where it is coming from. The LAN switch is intelligent and able to route data according to these addresses. VLAN block 184 is optional and if present facilitates filtering of the packets by partitioning them into sub-networks or virtual local area networks in accordance with the IEEE specification 802.1Q. Ethertype 185 specifies the format of the data either as the type of data or its length depending on its format. Ethertype 185 and VLAN 184 follow a format that prevents confusion as to whether optional VLAN 184 data is inserted or not.
After all of this header data is received, payload 187 contains the actual data being delivered by the Ethernet packet. This data may comply with Internet Protocol, and may contain data encapsulating Layer 3 to Layer 7 content as described in the OSI model. Alternatively, in custom designed systems, payload 187 may contain protocols proprietary to specific hardware or manufacturers. If all the required data cannot be sent in the maximum packet size of 1,500 B allowed by the Ethernet standard, then the payload can be broken into pieces, or sent using an alternative protocol, for example a Jumbo frame which can carry up to 9,000 B of data, six times that of a standard Ethernet packet. Frame check 186 carries simple error checking-related information for the Layer 2 Ethernet packet 189 but not Layer 1 data for preamble 180 or SFD 181. Frame check 186 utilizes a 32-bit (32 b) cyclic redundancy check algorithm, able to detect unintended changes in raw data of the Layer 2 Ethernet packet 189.
The physical standard for Ethernet includes both electrical and optical fiber, with the electrical cable being the most common today. Data rates have evolved over time from 10 Mbps to 100 Mbps to more recently 1 Gbps up to 100 Gbps, called “Gigabit Ethernet. Ethernet cables utilize easily recognized RJ-45 connectors to secure connections between LAN switches and devices such as servers, desktops, notebooks, set top boxes, and modems. In some instances, Ethernet may be used to deliver power to a device, known as “power over Ethernet” or POE.
WiFi (802.11)—
In many instances, Ethernet is employed to establish a wireless network connection with mobile devices, using a short distance radio link. Over time, proprietary wireless links have been replaced by a standardized short distance communication protocol defined by the IEEE802.11 standard, commercially called WiFi. Often merging router and switch functionality with radio receivers and transmitters, WiFi routers are now commonplace in homes, offices, businesses, cafés, and public venues.
The radio link shown in FIG. 10 illustrates the combination of two interconnected networks, one comprising “Ethernet MAC access” 200A and the other comprising a radio link, namely “radio access point” 200B. Interface circuitry and related firmware block 202 provides the Layer 1 PHY interface, i.e. the physical bridge 204A and 204B between the electrical network and the radio network, as well as facilitating the Layer 2 data link 205A and 205B between the Ethernet protocol and radio protocol, e.g. WiFi. In operation, data coming from Ethernet 201 enters communication stack 203A, with physical signals connecting to interface 202 through Layer 1 PHY connection 204A and Layer 2 data link information passed through connection 205A.
After processing, data is passed from interface 202 into the communication stack 203B of radio access point 200B, with physical signals connecting through Layer 1 PHY connection 204B and Layer 2 data link information passed through connection 205B. This information is then passed on connection 204 to the radio transceiver and broadcast on any one of several “n” radio channels through radios 206A through 206N as output on radio antenna 207. When receiving radio signals, the data path is the same but in opposite direction to the aforementioned description.
Interface 202 also can also act as LAN switch to support concurrent communication on different radio channels can occur with different Ethernet-connected devices simultaneously, in which case more than one Ethernet cable 201 is plugged into the radio link device. Alternatively, multiple radio conversations can be sequentially sent over a single Ethernet connection to an upstream device, using Layer 3 and Layer 4 to manage the routing of the packets to different recipients.
One standardized device and protocol for short distance radio communication is a wireless local area network or WLAN device operating in accordance with the IEEE802.11 specification. Such devices, commercially known as WiFi, are used for wireless Internet access and for wireless distribution systems or WDS, i.e. radio connections used to replace wireline connections where cabling is inconvenient, difficult, or expensive to deploy. Aside from the master IEEE802.11 specification, subversions such as 802.11a, 802.11n, 802.11ac, etc. are used to specify carrier frequencies, channels, modulation schemes, data rates, and RF communication range. A summary of the subversions of the 802.11 standard approved by the IEEE at the time of this application is listed in the following table:
CarrierChannelMax DataIndoorOutdoor802.11Freq.BWRateMax #Modula-RangeRangeVersionRelease DateGHzMHzMbpsMIMOtionmmaSeptember 19995206 to 54NoneOFDM351203.7—5,000bSeptember 19992.4221 to 11NoneDSSS35140gJune 20032.4206 to 54NoneOFDM38140DSSSnOctober 20092.4 or 5207.2 to 72.25OFDM702504015 to 150acDecember 20135207.2 to 96.38OFDM35—4015 to 2008032.5 to 433.3160 65 to 866.7adDecember 2012602,1606,912NoneOFDM——singlecarrier orlow power
As shown, WiFi operates primarily at 2.4 GHz and 5 Ghz, with 3.7 Ghz designed for long distance WDS routing thus far adopted only by the U.S. The 60 GHz carrier is newly adopted and designed for Gigabit data rates consistent with connecting to other high bit rate networks such as Gigabit Ethernet and fiber/cable using DOCSIS 3. To support parallel operation of multiple users common in cafés and public venues, 802.11n and 802.11g offer parallel 5 channel and 8 channel multiple-input multiple-output or MIMO connectivity. To achieve high bandwidth, WiFi primarily uses OFDM or orthogonal frequency-division multiplexing as a method of encoding digital data on multiple closely spaced orthogonal sub-carrier channels.
In operation, OFDM separates a single signal into subcarriers, dividing one extremely fast signal into numerous slow signals. Orthogonality in this context means adjacent sub-carrier channels do not overlap, avoiding confusion as to which channel data is intended. The numerous subcarriers are then collected at the receiver and recombined to reconstitute one high-speed transmission. Because the data rate on the subcarrier channels is lower than a single high-speed channel, signal susceptibility to distortion and interference is reduced, making the method well suited for reliable RF communication even in noisy ambient environments or over long distances. Except for the special 3.7 GHz band, WiFi is limited to short range 70 m indoors and 250 m outdoors with higher broadcast powers. WiFi lacks cellular handoff capability so its use in long distance mobile communication is problematic and relegated to the LTE technology described below.
In WiFi using OFDM modulation, transmitted data is organized into “symbols”, a type of data representation that naturally compresses many digital states into a lesser number of symbols. The symbols are then transmitted at a low “symbol rate” to provide immunity from data loss related to carrier transport issues. This approach insures a higher bit rate with a lower error rate, improved QoS, and reduced sensitivity to signal strength fluctuations, RF ghosting, and ambient noise or EMI. A symbol may be any modulation such as a frequency, tone, or specific pulse pattern correlating to each specific symbol, where a sequence of symbols in a fixed duration may be converted to a data stream at a bit rate higher than the symbol rate. The method is analogous to semaphore flags where the flag can be moved into one of sixteen fixed positions in set duration, e.g. in one second. The symbol rate, also known as the “baud” rate, is then one symbol per second, or one baud, where the term one baud is defined as, “the number of distinct symbol changes made to the transmission medium per second”. Since the flag may have 16 different values, in binary form, eight states are equivalent to 4 bits, because 24=16 states. Then a symbol rate of 1 per second or 1 baud equals a data bit rate of 4 bps, four times higher than the symbol rate. Similarly, using 16 different tones to represent the symbols, a symbol rate of 10M symbols per second can result in a digital data bit rate of 40 Mbps.
The number of symbols employed affects, however, not only the bit rate but the error rate and communication QoS as well. For example, if too many symbols are employed it may be difficult for the radio's digital signal processor or DSP to accurately discern the symbols in a noisy environment, and the data error rate will rise, requiring retransmission of the data to maintain a valid checksum in the packet's dynamic CRC check. Using fewer symbols at any given symbol rate, makes it easier to discern one from another, but in turn lowers the digital bit rate and communication bandwidth. By analogy, if the semaphore flag can only be moved into one of four positions instead of sixteen, it is easier to see in a rainstorm so the chance of a communication error, i.e. reading it wrong, is greatly diminished. But using only one of four flag positions, the baud rate is still 1 symbol per second but the bit data rate drops to only 2 bps because 22=4. So there is in an intrinsic tradeoff between bit data rate and bit error rate which WiFi can modulate by dynamically adjusting the symbol rate. A similar tradeoff is made in LTE radio communication.
In 802.11 versions a, g, and n, a new symbol can be transmitted every 4 microseconds, or at 250,000 baud for each sub-carrier channel. WiFi employs 64 sub-carrier channels so theoretically the maximum symbol rate should be 16M baud at full channel capacity. But to guard against inter-channel interference only 48 of the 64-subcarrier channels are actually available, reducing the symbol rate to 12M baud at full channel capacity. In modern radio communications, symbols are converted into bits at multiple-levels, the levels changing dynamically with the RF communication conditions using a variety of phase modulation schemes summarized in the table below:
Multi-channelSymbol RateMaxWiFiPhaseRadio ChannelBits perperWiFi SymbolMaxModulationConditionsSymbolSubcarrierRateBit RateBPSKNoisy or distant1250k baud12M baud12 MbpsQPSKGood, medium224 Mbpsrange16-QAMVery good, short448 Mbpsrange64-QAMExcellent, close672 Mbpsproximitywhere the relationship between symbol rate and bit rate is defined by the following equation”(Bit Data Rate)/(Symbol Rate)=Bits per Symbolwhere the bit data rate is measured in bits per second or bps and the symbol rate is measured in symbols per second or “baud”. Of the phase modulation schemes shown, “binary phase shift keying or BPSK works best over long distances and in noisy radio environments, but uses a purely binary method of one bit per symbol, as such it is limited to low data rates. In good radio conditions, the data rate exceeds the symbol rate, i.e. bits per symbol >1 and the radio's bit rate can be increased anywhere from two to six times that of the BPSK rate, depending on radio conditions, the absence of EMI, shorter distances between transceivers, and broadcast power of the radio. For example, in good conditions or for medium range radio links, “quadrature phase shift keying” or QPSK methods offers double the data rate of BPSK with 2 bits per symbol. In very good conditions limited to shorter-range operation “16-level quadrature amplitude modulation”, called 16-QAM, can be used to increase the bit rate to 4 times the symbol rate offering 48 Mbps in WiFi communications. Under excellent noise-free radio conditions, the data rate can increase to 6 bits per symbol using 64-QAM, i.e. 64-level quadrature amplitude modulation. Phase modulation schemes in communication are well known to those skilled in the art and will not be discussed further in this disclosure.
In the case of 802.11b and 802.11g, another modulation scheme employed is direct-sequence spread spectrum or DSSS where the term “spread” refers to the fact that in DSSS that carrier signals occur over the full bandwidth, i.e. spectrum, of the radio's device's transmitting frequency. In DSSS, modulating circuitry utilizes a continuous string of pseudonoise code symbols shorter than one information bit to phase-shift a sine wave pseudorandomly prior to transmission and to subtract the same noise from the receiver signal. The result of the filtering is that uncorrelated noise is removed altogether and communication can occur reliably even in the presence of radio noise and EMI, even with signal to noise ratios below unity. Because the spread spectrum utilizes the full radio band, such methods are no longer preferred over OFDM, and are not employed in the newest WiFi implementations.
Aside from stipulating PHY layer details on radio bands and modulation schemes, the 802.11 standard also defines the serial data packet format required when communicating to WiFi radios. Compared to Ethernet packet, the WiFi packet header is more complex, in part because it must specify the radio receiving and transmitting station addresses as well as one or two network addresses. The data structure of a WiFi packet is illustrated in FIG. 11, graphically illustrated as serial data represented from left to right in the direction of increasing time 86. Associated table 242 describes the function of each block or sub-packet in the WiFi packet. Like an Ethernet packet, the data frame includes Layer 2 data link information encapsulated in a Layer 1 data frame with a Layer 1 header.
The Layer 1 header comprises a 10 B long preamble 230 and 2 B long SFD 231 as well as a 2 B long PLCP 232. While PLCP is considered as containing both Layer 1 and Layer 2 data, herein it will be considered as Layer 1 data. Together, then the Layer 1 header can be considered 14 B long and the remainder of the WiFi packet constitutes Layer 2 data varying in length from 34 B for empty payloads to 2,346 B for a maximum payload 241 length of 2,312 B. At a maximum payload length of 2,312 B, the WiFi packet is longer than Ethernet packets, which in standard form are limited to only 1,500 B long payloads. Components of Layer 2 WiFi packet as shown include frame control 233, duration 234, radio base station MAC addresses 1 and 2 shown as blocks 235 and 236 respectfully, conditional MAC addresses 3 and 4 shown as blocks 237 and optional block 239 respectively, sequence 238, and frame check 240.
In operation the purpose of preamble 230 as a Layer 1 data frame header subfield is to assist the hardware in initially identifying a device is trying to send data. Start frame header SFD 231, another Layer 1 artifact, is used for synchronizing the incoming packet data to the timing clocks to enable reading the data reliably. After these two blocks, physical layer convergence procedure or PLCP 232 provides information relating to the length of the packet, the data rate, and error checking of the header.
Frame control 233, the first purely data link Layer 2 data defines the version type of the WiFi packet, i.e. if it contains management related info, control commands, data, or reserved features, including the “To DS/From DS” control bits used to determine if the radio operates as an access point or a wireless distribution system. Duration 234, also known as “duration & ID”, defines the network allocation vector duration or NAV duration, i.e. how long the RF medium will be busy before another station can contend for the medium, except in power savings mode, where it contains information identifying its “station ID” used to recognize its beacons when checking for activity. Following the Duration info, Address 1 and Address 2 blocks 235 and 236 define the base station addresses, essentially the MAC addresses of the radio transceiver.
Specifically Address 1 in block 235 contains the BSS receiving station address while Address 2 in block 236 contains the BSS transmitting station address. In the communication of two radios which radio's address is loaded in Address 1 and Address 2 depends on the “To DS/From DS” setting defined in block 233 defining frame control. Address 3 defined in block 237 is used to link the radio to a physical network, e.g. using Ethernet, essentially describing where the data being broadcast is coming from, or alternatively where the data being received is going to. As such, the address present in Address 3 also depends on the “To DS/From DS” setting defined in the WiFi packet. To insure interoperability with Ethernet connections, WiFi addresses are 6 B long, the same of the MAC addresses used in Ethernet LANs.
To define the direction of the data and to be able to reorder packets received out of order, i.e. affected from radio phase delays, Sequence 238 block contains sequence and fragment numbers defining the packet frame. Unless the WiFi packet is identified as a WDS or wireless distribution system packet, then optional Address 239 is excluded from the WiFi packet. After the address and sequence control blocks, payload 241 contains the actual content being delivered by the WiFi packet including OSI Layer 3 through Layer 7 data. Thereafter, Frame Check 240 utilizing a 32-bit (32 b) cyclic-redundancy-check algorithm is employed to detect unintended changes in raw data of the Layer 2 Ethernet packet.
As described, when a WiFi radio is used as an “access point”, e.g. providing a radio connection of a mobile device to the Internet, only three MAC addresses are needed—the transmitting radio, the receiving radio, and the Ethernet connection. The ordering of the addresses depends on the direction of the data flow as defined by the “To DS/From DS” setting. The term DS is an acronym for distribution system, the wireline network or Ethernet connection to which the radio is connected. The ordering of the addresses in a WiFi packet in the case of WiFi access point are illustrated in FIG. 12A, wherein the top figure represents the case where the mobile radio, in this example notebook 260, is wirelessly sending data to WiFi access point 261 and on to the distribution system over Ethernet 265, and wherein the lower figure represents the case where data from the distribution system is routed to WiFi access point 261 via Ethernet 265 then wirelessly sent to notebook 260.
Referring again to the top figure, in operation data is sent from the WiFi radio in notebook 260 using RF signal 264 transmitted from antenna 262A and received by antenna 262B of the base station system or BSS in WiFi access point 261, which in turn sends the packet to the distribution system via Ethernet 265. In this case Sequence 238 contains the “To DS/From DS” bits shown in table 263 where the “To DS” bit is set to binary 1 and the “From DS” bit is reset to binary 0. In such a case Address 1 in block 235, the radio destination MAC address, contains the address of the WiFi BSS receiver, Address 2 in block 236, the radio source MAC address, contains the notebook's transmitting radio address, and Address 3 in block 237 contains the destination MAC address of any distribution system connected device using Ethernet 265.
Referring to the lower figure, where the data flow is in the opposite direction, the radio source and destination MAC addresses are swapped, and the Internet address changes from a MAC destination address to a MAC source address. In this case Sequence 238 contains the “To DS/From DS” bits shown in table 263 where the “To DS” bit is reset to binary 0 and the “From DS” bit is set to binary 1, whereby Address 1 in block 235, the radio destination MAC address, contains the address of the notebook's receiving radio address, Address 2 in block 236, the radio source MAC address, contains the WiFi BSS transmitter address, and Address 3 in block 237 contains the source MAC address of any connected device using Ethernet 265. In operation, data packets are sent across the distribution system from a network connected device and thru Ethernet 265 into base station system BSS in WiFi access point 261 which in turn broadcasts RF signal 264 transmitted from antenna 262B to be received by antenna 262A in the WiFi radio of notebook 260.
The WiFi specification also provides for using WiFi radios for the purpose of implementing a wireless distribution system or WDS as shown in FIG. 12B. In principle, a WDS is a wireless realization of a wireline network, i.e. an RF version of a network cable. To implement a WDS, however, an additional address, Address 4 contained in block 239, is required in the packet routing. In simplified terms, packet routing over a WiFi wireless distribution system requires sequentially using four MAC addresses, whereby (1) an incoming packet from a network MAC source address connects via Ethernet to (2) a transmitting radio source MAC address, which in turn wirelessly connects to (3) a receiving radio destination MAC address, which finally sends the packet via Ethernet to (4) a network MAC destination address. To operate a WiFi radio in WDS mode, WiFi packet Sequence block 238 contains data shown in table 263 where “To DS” and “From DS” are both set to a binary 1 state.
The data direction of a packet is then easily determined by the use of the four MAC addresses, two for the distribution system network and two for the WiFi radio. Referring to the topmost graphic in FIG. 12B, an incoming packet received on Ethernet 269A is received by WiFi WDS A base station 268A, broadcasted as RF signal 264 from antenna 262A of transmitting radio, received by antenna 262B of receiving radio WiFi WDS B base station 262B and forwarded via Ethernet 269B to the destination MAC address. To control the routing, Address 1 in block 235 represents the destination MAC address of the radio link, i.e. the WiFi WDS B address, Address 2 in block 236 contains the source address of the radio link, i.e. WiFi WDS A address, Address 3 in block 237 represents the Ethernet destination MAC address forwarded on Ethernet 269B, and Address 4 in block 239 contains the Ethernet source address received on Ethernet 269A.
For data flowing in the opposite direction from WiFi WDS B base station 268B to WiFi WDS A base station 268A shown in lower graphic of FIG. 12B, the source and destination addresses are simply swapped whereby Address 1 in block 235 represents the destination MAC address of the radio link, i.e. the WiFi WDS A address, Address 2 in block 236 contains the source address of the radio link, i.e. WiFi WDS B address, Address 3 in block 237 represents the Ethernet destination MAC address forwarded on Ethernet 269A, and Address 4 in block 239 contains the Ethernet source address received on Ethernet 269B.
In this way, the WiFi packet mirrors the Ethernet data frame comprising Address 3 as a destination MAC address, and Address 4 as the source MAC address as though the radio link wasn't even present in the routing. As such, a WiFi implemented wireless distribution system behaves like a wireline network in routing packets through a packet-switched network. Furthermore, the function of the “To DS/From DS” control bits allow the same WiFi radio to operate as a bidirectional data link, i.e. a WDS, or bidirectionally as a network access point.
4G Telephony/Long Term Evolution (LTE)—
Just as wire-line telephony has migrated from circuit-switched telephonic networks to packet-switched communication, replacing POTS and PSTNs, first with proprietary-hardware based digital networks such as ISDN, and then later with Internet-Protocol-based networks run on privately-managed computer clouds, so too has wireless communication evolved. As illustrated in FIG. 13, the evolution of digital cellular communication started with voice and simple messaging service or SMS services 290 delivered over circuit switched networks referred to as GSM, an acronym originally “Groupe Spécial Mobile” and as an afterthought changed to mean “Global System for Mobile Communications”. Considered the second generation or 2G of wireless telephonics, GSM optimized for full duplex voice communication replaced the original analog cellular or 1G networks using a time-division multiple access (TDMA) protocol. The next improvement in telephony, shown by block 291, emerged to augment GSM's capability by offering higher bandwidth and adding features such as multimedia messaging (MMS). Still relying on circuit switched network technology, the enhanced networks were viewed as a half step improvement as reflected by the name 2.5G.
The first step to 3G mobile telephony occurred with the introduction of “general packet radio service” or GPRS, by transitioning both wireless infrastructure and phone software to a packet-switched communication network, enhancing voice, SMS, and MMS services with push to talk or PTT, always-on Internet access, wireless application protocol or WAP, and more, as shown by block 292. Based on code-division multiple access or CDMA, GPRS also enhanced call quality, increased network capacity, and improved the system performance. For example, SMS messaging over GPRS delivered messages at least triple the rate of GSM. At 384 kbps, the performance of CDMA was 40 times faster than previous GSM solutions.
The switch to CDMA was a significant event, as it involved replacing and reinstalling the entire world's mobile communication infrastructure with new transceivers and antennas. Once deployed, WCDMA enabled a second, even more significant step in 3G-telephony with the introduction of UMTS, the “universal mobile telecommunications system”, a standard developed by the 3rd Generation Partnership Project or 3GPP encompassing a more global and inclusive approach to defining and deploying a truly universal network and standardized protocol. To enhance its capability and expand network bandwidth, UMTS adopted a new protocol, wideband code division multiple access or WCDMA radio access technology, to offer greater spectral efficiency and bandwidth to mobile network operators without requiring replacement of their 3G hardware investment. Initial networks offered 3.6 Mbps peak downlink rates.
Coincidentally, the concurrent development of the white LED and efficient miniature LED drive circuitry enabled for the first time, the use of color displays in mobile devices, and gave birth to the smartphone. The smartphone was a critical catalyst for commercially driving network bandwidth, as the higher quality color displays created immediate demand for fast Internet access, movie downloads, high-resolution photography, multimedia broadcasting, and even limited real-time video streaming. To fill the demand, high-speed packet access (HSPA), also known as 3.5G, was deployed over upgraded networks boosting both upload and downlink speeds while still using WCDMA modulation techniques. The rollout occurred in phases with high-speed download packet access or HSDPA released first as 3GPP Release 5, and high-speed upload packet access or HSUPA made available soon thereafter in 3GPP Release 6. Peak data rates improved to around 14 Mbps in the downlink and approximately 5.8 Mbps in the uplink but vary dramatically geographically depending on the infrastructure
Even before HSUPA could be widely deployed, cellular operators migrated to HSPA+ as first defined and standardized in 3GPP Release 8, also known as “3GPP Long Term Evolution” or LTE. The technology represents a packet-switched only network based on “orthogonal frequency division multiple access” or OFDMA, based on the same OFDM method employed in WiFi as discussed previously. While OFDM was developed for single user point-to-point communication, OFDMA can be considered as its multiuser version because has the ability to dynamically assign a subset of its subcarriers to individual users.
Initial HSPA+ based LTE deployments started at 21 Mbps. In 2008, the International Telecommunications Union-Radio or ITUR communications sector specified a set of requirements for 4G standards, named the International Mobile Telecommunications Advanced or IMTA specification, setting minimum peak speed requirements for 4G service at 100 Mbps for high mobility communication such as from trains and cars and 1 Gbps for low mobility communication such as pedestrians and stationary users.
Since early HSPA+ based LTE systems did not meet the IMTA speed specification, such early 4G precedents were not officially recognized as 4G telephony despite the fact that they utilized OFDM A modulation and entirely packet-switched networks. Consequentially there is no consensus whether to consider HSPA+ technology as late 3G or early 4G packet-switched telephony. Even the name 3.9G has been suggested. Regardless of naming issues, 4G telephony shown in block 293 today refers to packet-switched communication based on OFDMA modulation and various implementations thereof. Despite technical and historical variations of the data protocols and the use of inhomogeneous wireless networks, in the popular vernacular the terms 4G, LTE, and 4G/LTE are used ambiguously and interchangeably.
The high data rates and relatively robust performance of 4G/LTE telephony is largely due to its modulation methods and data frame structure. As shown in FIG. 14A, 4G modulation comprises up to a 20 MHz bandwidth around a center carrier frequency, typically in the range of 700 MHz to 2.6 GHz range, subdivided into subcarrier frequency bands, where downlink communication is subdivided into many narrow bands 296A through 296N needed to implement the subcarrier channels required by OFDMA. To save power in mobile devices, uplink communication is subdivided into fewer wide bands 295A through 295N and employs single-channel version of frequency division multiple access technology, or SC-FDMA. The various bands 295A through 295N are used to concurrently support multiple users but unlike in OFDMA, are not employed to divide up one high-speed data stream into many. As a result. SC-FDMA upload data rates are necessarily slower than OFDMA based download data rates.
Licensed carrier frequencies, listed in the following table, vary by region where phones from one country may not work in another country, unless a multi-band or world phone designed for global roaming is used.
RegionFrequencies (MHz)BandsNorth700, 750, 800, 850, 1900,4, 7, 12, 13, 17, 25,America1700/2100 (AWS), 2500, 260026, 41South25003, 7, 20AmericaEurope800, 900, 1800, 26003, 7, 20Asia1800, 26001, 3, 5, 7, 8, 11, 13, 40Australia/NZ1800, 23003, 40The above licensed frequencies are subject to change based on the communication commissions managing radio frequency licensing in the various regions.
Shown in FIG. 14B, the 4G PHY layer comprises bursts of RF data 10 ms long to form the 4G-packet or frame 300. Each frame 300 is subdivided into 20 slots of 0.5 ms duration containing 7 OFDM symbols 302. Each symbol 304 is separated from the others by a cyclic prefix 303 and contains fifty resource blocks 305 numbered from 0 to 49 with each block 306 comprising 84 resource elements 307 containing 7 symbols and 12 subcarriers. This data structure supports a flexible encoding used for realizing high bit rates, providing redundancy, and mitigating errors.
FIG. 15 illustrates the encapsulation of data link Layer 2 content within 4G data frame 299 for OFDMA modulation used for 4G data downloads. A similar 4G data packet exists for SC-FDMA uploads, but is not included herein because of its similarity to the packet shown. As shown, each PHY Layer 1 data packet or “data frame” 299 comprises a 10 ms frame 300 with twenty 0.5 ms slots 301 encapsulating data link Layer 2. The Layer 2 data link content of a 4G packet is nested three deep, comprising
MAC sublayer for media access control
RLC sublayer for “radio link control”
PDCP sublayer for “packet data convergence protocol”
The Layer 2 MAC sublayer comprises MAC header 303, a single-frame of MAC SDUs 304, and time padding 305, where the term SDU is an acronym for service data units. MAC header 303 includes the necessary source and destination MAC addresses for the radio connection. Each single frame of MAC SDUs 304 in turn, contains Layer 2 “RLC PDUs” 306, an acronym for “radio link control protocol data unit” used to control radio operation. Specifically, the RLC PDUs 306 contain RLC header 307 specifying information as to radio operation and protocols and encapsulates “radio link control service data unit” information, i.e. single frame RLC SDUs 308 as its nested payload. Following the completion of RLC SDUs 308 at time 309, new radio link control data with RLC header 311 and another set of RLC SDUs commences after a short delay time 310. The result is a sequential data stream of multi-frame RLC SDUs 319 where the data for K and K+1 blocks 313 and 314 is carried exclusively by single frame RLC SDUs 308, and where K+2 block 314 is composed of both blocks 308 from the current frame and from the next.
In the Layer 2 packet data conversion protocol sublayer, each SDU block contains a combination of a PDCP header and a PDCP SDU. For example K block 313 comprises PDCP header 312A and PDCP SDU 323, K+1 block 314 comprises PDCP header 321B and PDCP SDU 324, and K+2 block 315 comprises PDCP header 321C and PDCP SDU 325, collectively forming PDCP PDUs 320. The content PDCP SDUs 323, 324, 325 in turn contains the payload 330 of the 4G packet, namely data blocks 333, 334, and 335 including network, transport and application layer data. Today all the aforementioned processing required to assemble, transmit, receive, and decode 4G/LTE communication is accomplished in a single dedicated communication IC or digital signal processor (DSP).
Using the aforementioned 4G Layer 2 protocol, 4G offers numerous enhancements over predecessor networks and communication standards, including:                The ability to utilize multiple input multiple output or MIMO technology to maximize data rates and insure high QoS connectivity,        Using software based radios to connect to multiple radio networks simultaneously so as to dynamically identify the most appropriate service parameters, e.g. cost, QoS and capacity among others, for a given application;        Utilizing base stations that support intra- and inter-technology handovers, assuring service continuity with zero or minimal interruption, without a noticeable loss in service quality; and        The ability to access services and applications on different mobile and wireless networks simultaneously.        
Applications of 4G/LTE communication include HD and UHD video streaming, cloud computing, high capacity cloud based storage and online backups, faster web access, ability to send and receive large email files, and more.
DOCSIS3/Cable & Fiber Networks—
Until recently, cable TV and fiber video distribution systems packet-switched lagged the rest of the communication industry in adopting digital broadcasting and packet-switched technology. With the rapid adoption of the third generation release of “data over cable service interface specification” or DOCSIS3, however, cable network capability dramatically improved, offering the unique ability to service a large number of clients with multiple channels of high bandwidth communication concurrently. DOCSIS3 concurrently provides high-speed digital two-way communication and Internet access, VoIP, as well supporting multiple channels of high-definition video streaming including hundreds of broadcast and premium TV channels, unicast TV for pay-per-view, and IPTV downloads.
An example of a DOCSIS3 based cable & fiber network supporting multiple independent users is illustrated in FIG. 16. In cable distribution, the broadcasting of content and management of client communication is directed from a central cable headend device known as “cable modem termination system” or CMTS 350. Various devices feed content to CMTS 350 including a video headend 351 delivering network TV, IPTV system 352 delivering pay-per-view unicast as well as IPTV and movie downloads, VoIP system 353 for telephony, and Internet 20 for web and cloud connectivity. The aggregated information comprising high-speed digital (HSD), voice over Internet protocol (VoIP), broadcast and IPTV is sent to clients as multiple channels 354 carried on a single coaxial cable or optical fiber.
Data packets distributed from CMTS 350 are then connected to a variety of subscribers, and devices including a cable modem merged into set top box CM/STB 357 is connected to high-definition TV 39, or a cable modem CM 358 is used to supply voice communication to phone 37 and high speed digital connectivity to desktop 38 and home WiFi transmitter 26. In a manner similar to bus and hub networks, the aggregated content carried on channels 354 are all carried on the same cable or fiber and received by all CMTS connected devices.
With DOCSIS3, cable model termination system CMTS 350 became a switched network where all the content is not necessarily distributed to every subscriber. This feature known as “bundling” allows CMTS 350 to control which channels can be received by various subscriber's connected devices. As shown, bundled channels 355 carry content for TV 39 and IPTV while bundled channels 356 carry high-speed digital content and voice. The merged cable modem and set top box CM/STB 359 is able to access both bundles 355 and 356 useful in TV 39 is a smart TV while cable model CM 360 used for desktop 36, phone 37 and home WiFi 26 is only connected to HSD/VoIP bundled channels 356 since it doesn't require video connectivity.
Like the previous examples of Ethernet, WiFi and 4G/LTE, content distribution using DOCSIS3 over cable and fiber is bidirectional capable of full duplex operation, all implemented using packet-switched technology. By employing light instead of electrical or microwave signals to carry information on its PHY layer, optical fiber, in particular offers superior bandwidth compared to other forms of communication. The OSI communication stack for DOCSIS3 in a cable distribution system is illustrated in FIG. 17 illustrates Layer 1 PHY connectivity, the Layer 2 data link, and the overlying Layer 3 network for both the cable modem termination device CMTS 101 as well as examples of cable connected devices, e.g. cable modem CM 103 or set top box STB 102. Specifically, cable modem termination device CMTS 101 contains a Layer 1 PHY network interface 361 connected to cloud severs 22 and Internet 20, or alternatively to a video headend 351, IPTV system 352 or VoIP system 352 shown in the prior figure. The combination of network interface 361 and data link layer 366 comprise the device interface communication stack of CMTS 101.
On data link Layer 2, data is passed from the network interface communication stack to the cable network interface communication stack through forwarding function 370, specifically into link level control LLC 369. Link level control LLC 369 comprises a hardware-independent protocol defined in accordance with IEEE specification 802.2. The packet data is then modified by link security 368 to provide limited packet security, primarily to prevent unauthorized viewing of content such as pay-per-view unicast broadcasts. The data packets are then formatted in accordance with DOCSIS3 to include cable MAC 367 addresses in a manner similar to the example shown by WiFi radio bridge of FIG. 10. The Layer 1 PHY cable interface 362 then sends the data frames over distribution network 102 comprising either coaxial cable 104 or optical fiber 91 to the corresponding Layer 1 PHY cable interface 363 within cable modem CM 103 or set top box STB 102. Cable interface 363 represents the PHY layer of the cable network interface communication stack of cable modem CM 103 or set top box STB 102.
Upon receiving a data packet, cable MAC interface 371 then interprets the cable MAC addresses, passing its payload to link security 372 for decryption and ultimately to hardware independent link layer control LLC 373 for interpretation. The input data to the CM or STB cable network communication stack is then passed through transparent bridging 374 to the CM or STB device interface communication stack, specifically to device independent link layer control LLC 375 in accordance with the specification for IEEE 802.2. The packet is then passed to either HSD & IPTV MAC block 376 or to WiFi 802.11 MAC block 377 to update the packet's MAC addresses. In the case of WiFi communication, the data packet is then passed from 802.11 MAC block 377 to WiFi PHY Layer 1 radio interface 365 for transmission on WiFi radio 26. In the case of wireline connections, the data packet is then passed from HSD & IPTV MAC block 376 to Ethernet or HDMI interface block 364 for connecting to TV 39 or desktop 36.
Similar to OFDM used in WiFi or OFDMA used in 4G/LTE communication, DOCSIS3 communication employs multiple orthogonal, i.e. non-overlapping frequencies, either in the microwave or optical spectrum of electromagnetic radiation in which in encodes and transmits its information. Rather than assigning content specifically dedicated to each channel, DOCSIS3 supports “trellis encoding”, the ability to dynamically allocate and reallocate content including video, high-speed data, and voice across all its available frequency channels. As shown in several encoding examples of FIG. 18 utilizing 1 to 6 channels, data packets representing a given type of content can be assigned to a single channel or allocated across multiple channels. Data is arranged both by channels 385 and by time slots 386. In the example labeled m=1 (QPSK), time slots to through to are encoded on a single channel to deliver content from a single source #1. In the example labeled m=2 (8-QAM), two channels encoded using 8-QAM are employed to deliver content from two sources. The modulation method, quadrature amplitude modulation or QAM, is the same employed by WiFi discussed earlier and will not be repeated here. Source #1 delivers data from times t0 to t4 then from source #2 from t4 to t8. In the example labeled m=3 (16-QAM), three channels encoded using 16-QAM are employed to deliver data from three sources. Concurrent to source #2 delivering content 390 on channel m=1 from time t0 to t8, source #1 delivers content 391a from times t0 to t4 on channels m=2, while source #2 delivers content 391b from t4 to t8.
In the example labeled m=5 (64QAM), six channels encoded using 64QAM are employed to deliver contents from five sources. For example, on two sub-channels of m=5 labeled m=2, content from source #3 is delivered from times t0 to t4 and content from source #3 is delivered from times t4 to t8. Meanwhile on the subchannels labeled m=4, content from source #1 is delivered on four channels for time t0 to t2 and then on only three channels from time t2 to time t3. Content from source #2 starts out at time t=t2 on only one of four channels and then increases to m=4 at time t3. In the example labeled m=6 (128QAM), content 389 from source #3 is delivered on two channels of six from time t0 to t4 while the other four channels are used to deliver content 388a from source #1 from time t0 to t2 and used to deliver content 388b from source #2 time t2 to t4. In the examples shown, trellis encoding provides a cable operator the maximum flexibly in bandwidth management and content allocation.
In the corresponding data packet used in DOCSIS3, shown FIG. 19, PHY Layer 1 comprises physical media device frame 390 of variable length and duration, containing data link Layer 2 MAC data comprising preamble 391, variable length payload or codewords 392 and guardtime 393. Preamble 391 contains either an upstream preamble or a downstream preamble, depending on the direction of communication. In the case of an upstream preamble, preamble 391 contains physical media device PMD header 398, MAC header 399 and data PDU 400. In the case of the downstream preamble, preamble contains MPEG header 401, MAC header 399 and data PDU 400. The content of variable length payload 392 may comprise a short codeword 394 or a long codeword 397.
Short codeword 394 contains payload 395A comprising data A and error correction 396A containing FEC A. In the event of long codeword 397, the payload is divided into multiple payload blocks 395A, 395B, and 395C carrying data A, data B, and data C, respectively, with each payload containing its own error checking blocks 396A, 396B, and 396C including corresponding data FEC A, FEC B, and FEC C. After error checking, the delivered data from DOCSIS3 comprises data blocks 395A, 395B and 395C in the case of a long codeword and only data block 295A in the case of a short codeword.
In this manner DOCSIS3 flexibly delivers data over a cable network using packet-switched data protocol.
OSI Layer 3—Network (Internet) Layer
As described previously, data payloads can be delivered over a variety of PHY Layer 1 hardware configurations and data link Layer 2 interface protocols. While Layers 1 and 2 are specific to devices, Layer 3, the network layer, provides a device independent form of communication, ubiquitous and agnostic to the PHY network used for carrying the signal and data. Layer 3 communication is illustrated in FIG. 20 where three network connected devices 420A, 420B, and 420C comprising computing and data storage functionality 423A, 423B, or 423C all share Internet connectivity 421. As such, each device's corresponding communication stack 422A, 422B, and 422C connects the devices to one another using Layer 3 network 421, which except in proprietary systems generally represents the internet.
To guarantee interoperability in packet-switched networks operating across various hardware platforms, networks, and systems, the OSI model prescribes a well-defined protocol organized in seven layers as shown in FIG. 21. As mentioned previously, like the babushka or Russian nesting doll where each wooden doll contains another smaller doll inside it, the data packets or “datagrams” for packet-switched networks are arranged in similar fashion where Layer 1, the PHY layer packet or “frame” contains all the other layers within its payload including Layer 2 link layer data which in turn encapsulates a payload comprising Layers 3 through 7, including Layer 4 network packets, and so on.
In greater detail, Layer 1 frame 430 contains all data of the physical or PHY layer comprising electrical, radio or optical signals. Embedded within the PHY layer data 430, is the media access control or data link layer information on Layer 2 comprising MAC header 431, MAC payload 432, and MAC footer 433. MAC payload 432 encapsulates the network (Internet) layer or IP packet on Layer 3 comprising Internet protocol or IP header 434 and IP payload 435. The IP payload 435 encapsulates transport layer datagram or Layer 4 data comprising transport header 436 and transport payload 437. The transport payload 437 then encapsulates all application data 438 for the application layers 5 through 7 consistent with the OSI model shown previously in FIG. 4.
In operation, upon receiving an IP data packet shown in FIG. 21, the network connected device and its firmware interpret the Layer 1 and Layer 2 data and ignore any information contained within MAC payload 432. Network software in turn interprets the IP addresses, routing, and control contained within the IP Layer 3 data but ignores the contents of IP payload 435. Transport Layer 4 software then interprets information contained within IP payload 435 as a transport layer “datagram” comprising transport header 436 and transport payload 437 providing any required handshaking between the communicating parties to insure reliable delivery of the IP packet. Transport payload 437, encapsulates information comprising application data 438 for the remaining upper layer applications including packets containing data for session Layer 5, presentation Layer 6, and application Layer 7. In summary, Layer 1 and Layer 2 are concerned with establishing physical connections and rules for network connected devices, Layers 3 and 4 are concerned with identifying the recipient of an IP packet and confirming its delivery, and Layer 5 through Layer 8 contain the actual information being delivered as a data payload. Accordingly, Layer 1 and Layer 2 hardware and firmware have no interest in the contents of the data being sent or in its application, Layer 3 and Layer 4 network software doesn't concern itself with what physical devices are sending the packets nor what is the content of the packets, and Layers 5 through 7 do not care how the packet was sent or its reception was confirmed. In this manner routing of a datagram of unknown content can be managed in packet-switched networks without any concern for the hardware used in sending the packet or in the intended use of the packet's data.
To maintain interoperability, packets sent over networks use a standardized format known as Internet Protocol or IP, even in cases when the actual network is not directly connected to the Internet. Layer-3 connectivity may comprise any collection of devices connected to a common packet-switched network using IP packets, including communication over (1) hosted or private servers connected directly to the Internet, (2) private closed networks or “intranets” not connected to the Internet, or (3) closed networks connected to the Internet through “network address translators” or NATs described later in this application. In the former case, any IP address used on the Internet must be registered and licensed to a client as an exclusive and valid Internet address. In the latter two cases, the IP address has meaning only in the isolated network where their use is intended and is not registered as Internet address. Attempts to use non-registered IP addresses on the Internet will result in connection errors.
As shown in FIG. 22, every IP packet contains two elements, an IP header 434 and an IP payload 435. The IP header 434 commonly comprises one of two well-established versions—one for “Internet protocol version four” or IPv4, and the other for “Internet protocol version six” or IPv6. The first 4 bits of IP header 434 contained with the header's preamble 440 or 444 provide a binary code for the Internet version of the packet where 0100 shown as data field 447 represents version 4 and 0110 shown by data field 448 represents version 6. In the event that IPv4 is selected, preamble 440 comprises a field 12 B long including the version bits 447, followed by 4 B long source address 441, 4 B long destination address 442, and 8 B long options field 443. In the event that IPv6 is selected preamble 444 comprises a field 8 B long including the version bits 448, followed by 16 B long source address 445, and 16B long destination address 448. Unlike IPv4, version six has no option field.
Importantly, IPv4 preamble 440 and IPv6 preamble 444 differ in length, content, and format and must be considered separately. Moreover the IP address field of IPv6 is long with the ability to uniquely specify an almost uncountable number of IP addresses, i.e. 2128. By comparison, IPv4 is only 4 B in length and can specify only 232 addresses. Because of the limited number of combinations in IPv4, other information is required to identify and separate networks from clients, as specified in preamble 440. IPv6 does not require the need for providing such a distinction. Most modern networks and IP routers today are able to support both IPv4 and IPv6.
Internet Protocol IPv4—
Looking into greater detail in the data packet construction of IPv4 datagram 450, FIG. 23 illustrates a two-dimensional graphical representation of time arranged sequentially from left-to-right by columns and from top-to-bottom by rows, specifically where for each row, time is illustrated by bytes or octets 0 to 3 (or alternatively represented by bits as 0 to 31), and from top-to-bottom each row is labeled with an offset octet where the topmost row labeled “0” is followed by the row labeled “4”, then “8”, then “12”, etc. To properly read the sequential data from datagram 450, the packet starts in the offset octet row labeled “0” where from left-to-right, the first data sent or received comprising preamble 451 contains the aforementioned “version” field, followed by “IHL, DSCP, ECN”, and “total length” fields. Following immediately thereafter, data from the next row offset labeled offset octet row “4” is read comprising the fields labeled “identification, flags, fragment offset”. Finally the last row labeled “8” in preamble 450 contains the fields “time to live, protocol, and checksum.” After the preamble the datagram includes a 4 B source IP address, a 4 B destination IP address, and on the row labeled as offset octet 20, an “options” field. The last field in datagram 450 comprises variable length payload packet 435. Although the example shows a 4 B length, the payload length is variable.
Table 451 provides a brief summary of the information contained in the IPv4 datagram fields. As mentioned previously, the four-bit long (4 b) version field sets the Internet protocol to binary 0100 for version 4. The IHL field specifies the number of 32 b words in the IP header 434, the length of IPv4 packet 450 excluding payload 435, ranging in value from 20 B to 62 B. DSCP comprises a 6 b field defining differentiated service to control the communication quality of service or QoS. ECN represents a 4 b field for explicit congestion notices or ECNs describing the network's loading condition. Total length describes the total length of the IPv4 packet datagram including both IP header 434 and IP payload 435, ranging from a minimum length of 20 B to a maximum length of 65,535 B. The maximum packet length may be limited to smaller datagrams by the Layer 2 data link protocol for a specific PHY medium. The 2 B long “identification” field uniquely identifies a group of fragments of a single IP datagram to enable reassembly of a packet with segments received out of order, used in conjunction with the 3 b “flags” and 13 b “flags offset” used to manage packet fragmentation. The 1 B long TTL or “time to live” field limits the lifetime of datagrams in the network to prevent immortals, packets that cannot be delivered to their intended destination but never expire. The TTL, field specifies the maximum number of routers that any specific packet can traverse before being discarded as undeliverable. Each time the packet traverses a router the TTL count is decremented by one count.
Field 460, the 1 B long “protocol” field, describes the type of data contained in the IPv4 packet's payload 435. In some cases, this data provides specific instructions, e.g. to check the network condition or propagation delay, to be executed as a Layer 3 packet, while in other instances the payload may be identified as containing Layer 4 transport protocol used to manage packet delivery and confirmation, including ICMP, IGMP, TCP, UDP standard transport protocols or other proprietary formats. In essence, the protocol field is a Layer-4 datagram description in a Layer-3 IPv4 packet, intimately linking the OSI layer 3 to Layer 4 in the Internet Protocol. The header checksum field is used to insure the header data is correct so that the packet is not delivered to the wrong destination. It comprises a 16-bit checksum used to detect errors and data drops. Collectively, the aforementioned fields form IPv4 packet preamble 440
The following two fields, the source IP address and destination IP address, are 4 B long and may be represented in a number of formats. The traditional format, referred to as the dot-decimal format, comprises four decimal numbers separated by decimal points, e.g. 192.0.2.235 or in dotted hexadecimal form as 0xC0.0x00.0x02.0xEB where each byte, i.e. octet, is preceded by 0x and individually converted into hexadecimal form. The 32-bit address can also be converted into its decimal equivalent 3221226219 or into a single hexadecimal number 0xC00002EB as the concatenation of the octets from the dotted hexadecimal format. Additional detail of IPv4 address formats can be obtained by referring to http://en.wikipedia.org/wiki/IPv4 or other similar references. The 4 B long “option” field, active only when the IHL field is set to 6 to 15, is seldom used because of security risks it creates.
Internet Protocol IPv6—
Because of IP address exhaustion, a new set of IP addresses was instigated referred to as Internet protocol version six. Data packet construction of IPv6 datagram 453, as shown in FIG. 24, like its version four predecessor, comprises two elements, an IP header 434 and IP payload 435 except that the header is significantly simpler and the IP addresses are significantly longer. Specifically IPv6 preamble 444 comprises only 8 bytes in length while the IPv6 addresses 445 and 446 are 16 bytes long.
Table 454 provides a brief summary of the information contained in the IPv6 datagram fields. As mentioned previously, the four-bit long (4 b) version field sets the Internet protocol to binary 0110 for version 6. The 1 B long “traffic class” field includes a 6 b subfield specifying differentiated services and 2 b for ECN congestion management similar to version 4. The 20 b “flow label” field minimizes fragmentation by maintaining data path to avoid reordering in real-time applications. The 2 B long “payload length” specifies the length of payload 435 in bytes (octets). Field 460, the 1 B long “next header”, specifies the type of content in payload 435. Like the “protocol” field in IPv4, the “next header” field in IPv6 essentially provides information regarding content of IP payload 435. In some instances this content comprises an action, e.g. to check network delays, and comprises Layer 3 data. In other cases, the content comprises Layer 4 transport protocol used to manage packet delivery and confirmation, including ICMP, IGMP, TCP, UDP standard transport protocols or other proprietary formats. Like “time-to-live” in IPv4, the 1 B “hop limit” in an IPv6 packet specifies the maximum number of routers a packet may traverse before being discarded as an immortal. Each time the packet traverses a router the count is decremented by one.
The following two fields, each 16 B long, specify the source IP address 445 and the destination IP address 446. As mentioned previously the purpose of the longer IP addresses is to overcome the IP exhaustion occurring in IPv4. This issue is illustrated in FIG. 25 for IP addresses 469 contrasting three classes of 4 B long IPv4 addresses to the classless 16 B long IPv6 address 458. Because the IPv6 address is capable of 2128 or 3.403×1038 unique combinations there is no need to break the addresses into classes allocated specifically to networks and clients. By contrast, because of the limited combinations available in IPv4, the addresses were subdivided into “classes”, where today Class A through Class C are still in common use.
As shown, Class A comprises a 1 B long network field 456A and a 3 B long client field 457A having IPv4 addresses ranging from 0.0.0.0 through 127.255.255.255 to support 128 networks and 16,777,216 (approximately 224) clients. Class A users may comprise any large IP provider, telecommunication company, or video provider. Class B addresses comprise a 2 B-long network field labeled 456B and a 2 B-long client field labeled 457B having IPv4 addresses ranging from 128.0.0.0 thru 191.255.255.255 to support 16,384 (approximately 214) networks and 65,536 (approximately 216) clients. Class B users may comprise companies with a large number of sites. Class C addresses comprise a 3 B-long network field labeled 456C and a 2 B-long client field labeled 457C having IPv4 addresses ranging from 192.0.0.0 through 223.255.255.255 to support 2,097,152 (approximately 221) networks and 256 (i.e., 28) clients. Class C users typically comprise small business entities.
During routing of a packet through the network or Internet, processing of each field in IP header 434 occurs on a need-to-know basis. For example, each router needs to know the IP version, the packet length, and the packet's checksum to check for errors. Likewise the hop time or time-to-live in also necessarily processed by the intermediate routers to cull immortals. Intermediate routers, however, don't need to interpret every field of P header 434. Specifically, field 460, the “protocol” field in IPv4 or “next header” in IPv6 has meaning only for the sending and destination IP addresses. Intermediate routers have no need to know the content of IP payload 435 and therefore do not process the information. When a packet finally reaches its destination IP address, only then will the intended recipient device or server read the value of field 460 in IP header 434 to interpret what kind of data is encapsulated within IP payload 435. As shown in FIG. 26, any valid value in field 460 may result in an action relating to a Layer-3 network layer payload or alternatively to a Layer 4 transport layer payload. In the event the code contained in field 460 is not recognized by the destination IP address, the server or recipient device will discard the packet as imperfect.
In cases where field 460 contains Layer 3 network layer payloads as executable instructions, IP payload 435 instructs the network the task to be performed. For example, when field 460 contains the equivalent of the decimal numbers 1 or 2 shown as protocol or next header fields 461 or 462, IP payload 435 will contain corresponding instructions for the network utilities ICMP or IGMP, respectively. Should field 460 instead contain the equivalent of the decimal number 6 shown as protocol or next header field 463, IP payload 435 will contain data 475 for a payload using TCP Layer 4 transport protocol. Similarly, should field 460 instead contain the equivalent of the decimal number 6 shown as protocol or next header field 464, IP payload 435 will contain data 476 for a payload using UDP Layer 4 transport protocol. Layer 4 payloads will be discussed in the subsequent section of this disclosure. Other less common and proprietary codes also exist. If the field 460 contains a protocol or next header code that is a standardized registered code, then public networks, at least theoretically, should respond appropriately to the code and properly interpret the payload. In cases where the code is proprietary, only proprietary networks and customized router can interpret the code and take appropriate action accordingly.
In the case when field 460 contains the equivalent of the decimal number 1 shown as protocol or next header fields, the IP payload 435 carries a specific network utility 435 called ICMP or “Internet control message protocol” used by network devices, like servers, routers, access points, etc. to access network propagation delays, to indicate that a requested service is not available, or identify that a router or host cannot be reached. Its assigned protocol or next header identifier, the decimal number 1, is distinct from UDP and TCP in that ICMP is generally not used to exchange information between systems or end-user applications except in the case of performing certain network diagnostics. As shown in FIG. 26 for the IP packet corresponding to data 461, the ICMP packet comprises a four-part header with type 465, code 466, checksum 467, and rest of ICMP header 468, followed by ICMP data 469.
The “type” 465 and “code” 466 fields together facilitate the delivery of various control messages. Elaborating, type=3 control messages means the IP destination is unreachable, where the code describes why it was unreachable, e.g. for code=0 the destination network was unreachable, code=1 the destination host was unreachable, code 3 the destination port was unreachable, and for code=9 the network is administratively prohibited, etc. When type=5, the packet can be redirected whereby code=0 means redirect datagram for the network, code=1 means redirect datagram for the host, etc. Type=8 “echo request” followed by type=0 “echo reply” together perform the important and well known “ping” function, analogous to a submarine sonar sounding to check the network's propagation delay. Other important functions include “traceroute” for code=30, “domain name request” code=37, domain name reply code=38, timestamp request code=13 and timestamp reply code=14. For delivery issues code=11 means delivery “time is exceeded”, code=12 means “bad IP header”, and code=4 or “source quench” is used in cases of congestion control. The contents of ICMP data 469 may contain messages or may be used simply to load the network with larger packets to investigate if issues specifically may be plaguing large payload delivery.
Also shown in FIG. 26, when field 460 contains the equivalent of the decimal number 2 shown as protocol or next header fields, the IP payload 435 carries a specific network utility 435 called ICGMP, an acronym for “Internet group management protocol”. Unlike ICMP used in network diagnostics of both IPv4 and IPv6 networks, IGMP is used only in IPv4 multicasting for one-to-many networking applications such as gaming or online streaming. The term IGMPv4 is not used however, because IGMP's heritage evolved from earlier incarnations of the Internet. Instead IGMPv2, and IGMPv3 are the only protocols supported today. Also in IPv6, multicasting is carried over ICMPv6 using multicast listener discovery and not directly through bare IGMP encapsulation. The IGMP packet contains a four-field header comprising “type” 470, “MRT” 471, “checksum” 472, and “IGMP group address” 473, followed by IGMP data 474.
In IGMP, the type 470 field describes the nature of the packet as “membership query, membership report or leave group” commands, “MRT” 471 or maximum response time sets the maximum time limit to receive a report up to 100 ms, and checksum 472, a 16-bit ones-complement sum of the entire IGMP package. For broadcasting, IGMPv2 sends the IGMP packet and its payload IGMP data 474 to IGMP group address 473 in accordance to the setting of message “type” 470 where a “general query” sends a multicast to all hosts, i.e. 224.0.0.1 and “leave group” likewise sends a message to all routers, i.e. 224.0.0.2. In IGMPv2 “group-specific query” and “membership report” only the group being queried or reported is involved in the communiqué. In IGMPv3, a more comprehensive membership query is possible defining all the connected parties.
Aside from ICMP and IGMP other datagrams comprise proprietary protocols where the source and destination IP addresses must prearrange to communicate using a unique format, otherwise the IP payload 435 will generally comprise data following TCP or UDP transport Layer 4 protocols.
OSI Layer 4—Transport Layer
The function of the OSI transport Layer 4 is illustrated in FIG. 27 where three network connected devices 480A, 480B and 480C containing computing and data storage blocks 483A, 483B, and 483C with corresponding communication stacks 482A, 482B, and 482C share a common network 481. The transport layer insures that communication 484 only occurs between communication stack 482A in device A and communication stack 482B in device B. The purpose of the transport layer is to control communication between the two connected devices, and to provide context for the type of the application data being delivered by the IP packets and the service to be performed. So in essence network 481 of OSI Layer 3 enables the connection of any combination of devices and the transport layer of OSI Layer 4 insures the communication of two specific devices.
The two predominant transport protocols used today are TCP and UDP. In the “transmission control protocol” or TCP, a communication connection between devices is guaranteed by a processing of handshaking, confirming that an IP packet has been reliably and accurately delivered across a packet-switched network before sending the next packet. Using TCP handshaking, a “connection” can be insured even in a “connectionless” packet-switched communication system comprising a local area network, an intranet, or the public Internet. TCP insures reliable, error-checked, properly ordered delivery of a series of digital bytes with high accuracy but with no guarantee of timely delivery. TCP is used to deliver time-insensitive payloads comprising a variety of computer programs, files, text, video, and voice communication including email, file transfers, web browsers, remote terminal functions, and secure shells. For time-sensitive payloads, other protocols better suited for real-time applications such as UDP are preferred.
Transmission Control Protocol (TCP)—
Operating at the OSI transport Layer 7, TCP functions at a level intermediate to the network or Internet Layer 3 and the upper application layers. In delivering IP packets TCP is able to correct for unpredictable network behavior due to network congestion, dropped packets, traffic load balancing, and out-of-order deliveries. TCP detects these and other problems, requests retransmission of lost data as needed, rearranges out-of-order data, and even mitigates moderate network congestion as possible. IP packets delivered by the TCP transport layer may be referred to as TCP/IP datagrams. During packet delivery, a timer is used to monitor the delivery time. In the event the time expires before the packet is delivered, a request to retransmit the package is made. TCP packets are encapsulated within the payloads of IP packets. Received TCP packets are buffered and reassembled for delivery to applications.
In order to identify the application or service for which a TCP packet is intended, the TCP utilizes digital identification referred to as a “port”. A port is a number used to uniquely identify a transaction over a network by specifying both the host, and the service performed. Ports are employed by TCP or by UDP to differentiate between many different IP services and applications, such as web service (HTTP), mail service (SMTP), and file transfer (FTP). Communicating devices utilize a combination of both Layer 3 IP addresses and Layer 4 ports to control the exchange of information from the physical network comprising PHY Layer 1 and data link Layer 2, with the upper OSI application Layers 5 and above.
Each TCP packet 500, shown in FIG. 28A, comprises a TCP header 506 and its TCP payload 507. Details of the functions of TCP header 506 are summarized in table 508 shown in FIG. 28B, where TCP header 506 comprises source port 501, destination port 502, sequence number 503, acknowledgement number 504, as well as the “offset, reservation, flags, window size, urgent pointer and options” fields. It also includes checksum 505 to confirm packet integrity. Sequence number 503 is used to keep track of the order of multiple packets and depends on the status of the SYN flag in the “flags” field of TCP header 506. The “acknowledgement” field is used in the handshaking process. If the ACK flag in the “flags” field of TCP header 506 is set to binary one, the acknowledgement field is the next sequence number that the receiver is expecting, and thereafter acknowledging receipt of all subsequent packets.
Data “offset” specifies the size of TCP header 506, i.e. the length of the header from the start of TCP datagram 500 to the beginning of TCP payload 507 as specified in the number of 2 B (32-bit) words ranging from 5 2 B-long words to 15 2 B-long words. Reserved bits are not used at this time. The flags field contains nine binary flags relating to in part to concealment, congestion, urgency, packet acknowledgement, push function, connection reset, sequencing, and no more data from sender. Window size specifies the maximum number of bytes the sender is willing to receive in one packet. Checksum comprises a 2 B (16 b) checksum for error checking of both the TCP header 506 and TCP payload 507. If the URG flag is set to binary one, the “urgent pointer” field indicates the last urgent data byte to be sent.
In packet communication based on TCP/IP, handshaking is a key feature in insuring data integrity. As shown in FIG. 29 at time t=0, notebook 510 sends a TCP/IP package to web server 531 sending TCP header 512A, TCP payload 513A, and travel time 514A together requiring duration Δtn, followed by an acknowledgement from web server 511 to notebook 510 comprising TCP header 512B, and null field 513B requiring duration Δtb. Together the combined interval t1=Δta+Δtb represents the minimum time to send and confirm a TCP/IP packet, roughly twice the time of the initial packet delivery. Then and only then, can a 2nd-packet be delivered comprising TCP header 512C and TCP-payload 513C. In the event that a packet is corrupted or lost, the packet must be resent and confirmed, increasing the duration for the delivery from t1 to 2t1. Should the packet require being resent “n” multiple times, the duration for just one packet comprises nt1. The variable time delay using TCP transport in extremely problematic when delivering time sensitive packets such as video or VoIP.
In summary, TCP/IP packets have the following characteristics:                Reliable—TCP/IP guarantee delivery by managing acknowledgement, error checking, retransmission requests, and timeout features        Heavyweight—TCP/IP utilizes a large transport layer packet with a long complex header and requires at least three packets just to establish a connection “socket” between a host and client.        Variable/slow rate—Because of handshaking, the data rate of TCP/IP is variable and significantly slower than UDP, making TCP unattractive for real-time applications such as video and VoIP.        Ordered—TCP buffers and reorders any packets received out of order        Congestion control—TCP provides several features to manage congestion not available in UDP.        Error checking—TCP/IP packets are checked for integrity if they are received and retransmitted if any packets are dropped or arrive corrupted.        
User Datagram Protocol (UDP)—
As an alternative to TCP, the “user datagram protocol” or UDP employs a connectionless transmission mode, one with a minimal protocol and no handshaking verification of packet delivery. Sensitive to the underlying instabilities of a network, UDP offers no delivery acknowledgements, nor any packet ordering or duplicate protection. It does, however, utilize checksums for confirming data integrity. UDP is most suitable in time-sensitive applications or for purposes where error checking and correction are either not necessary or are performed ex post facto in the application, avoiding the overhead of such processing at the network level.
The UDP 529 packet shown in FIG. 30 comprises UDP header 520 and UDP payload 524. The UDP header 520 described in table 525 comprises only four fields, a 2 B-long source port address 521, a 2 B-long destination port address 521, “length” field 523, and checksum 523. UDP port addresses utilize the same format as TCP/IP packets. The UDP packet length field 523 ranges from a minimum length of 8 B to a maximum length of 65,535 B in IPv6. For practical considerations the largest checksum length is limited to a slightly smaller 65,507 B in IPv4 protocol.
The 2 B checksum 523 is used for error detection of the combined length of UDP payload 524 plus data from UDP header 520, modified algorithmically into a pseudo-header to include IP addresses and other fields borrowed from the IP header. The pseudo-header never exists explicitly in the datagram, but is created, i.e. algorithmically synthesized from the data available in IP header and the UDP header, just for the purpose of error checking. The pseudo-header format and checksum values differ for IPv4 and IPv6 based UDP packets. While the checksum feature is optional in IPv4, its use is mandatory in IPv6. When not in use, the field is loaded with a 0 digital value. After UDP header 520, the UDP payload 524 follows with a variable length ranging from 0 B to 65,507 B in IPv4.
In summary, both UDP and TCP/IP can be used for Layer 4 transport of an IP packet traversing a switched packet communication network. UDP packets have the following characteristics:                Unreliable—UDP does not guarantee delivery nor can it sense lost packets. UDP lacks the mechanics for identifying lost packets, for requesting retransmission or for monitoring for time-out conditions during delivery.        Lightweight—UDP utilizes a small transport layer with a minimal sized header lacking many TCP features and associated packet overhead        Fast—As an artifact of their small size, UDP packets can be delivered rapidly and do not require handshaking confirmation of delivery or retransmission of lost or corrupt packages. Data rates are at a minimum, twice that of TCP and four times faster than cases involving the retransmission of TCP packets. In unstable networks, the request for retransmission can completely jam any TCP packet delivery        Unordered—the order packages are received may not be the same order as in which they were sent. The application must be smart enough to reorder out of sequence packets.        No congestion control—other than as an artifact of its small packet overhead, UDP does not avoid congestion unless such congestion control measure are implemented in the application level.        Error checking—UDP packets are checked for integrity only if they are received. If they are in error the packets are dropped without any request for retransmission.        
Use of Layer-4 Ports—
Ports play an important role in the implementation of Layer 4, the transport layer, in packet-switched network communication. Among other benefits, ports help identify the applications or services provided by a server or device, they assist in allowing multiple users to interact with the same server without intermingling individual client's communications, they provide a means to support full duplex communications using different port pairs for host-to-client and client-to-host exchanges, and they help facilitate the operation of NATs, network address translators, to increase the number of available IP addresses for users while limiting the cost and number of required connections directly to the Internet.
An example of a host-client exchange of datagrams is illustrated in FIG. 31A, where client's device 526B, either a tablet or notebook, requests a web page from host 526A, typically a web server. In the exchange, client 526B sends a IP datagram comprising a Layer-3 IP header 529 having an IP address 527B with a numeric value “IP address B” to a host server at an IP address 527A having a numeric value “IP address A”. Encapsulated within the payload of the Layer-3 datagram, the client also sends a Layer-4 transport header 530 containing its own source port number 528A with an ad hoc value of 9,999. The port request is sent to host port 80—a reserved HTTP port 528A used for web browser downloads of web pages. So although the requesting port number 9,999 is arbitrarily assigned in an ad hoc manner from the next open port number, the destination port 80 has a specific meaning for the requested service as a web page request.
A simplified version of the IP datagram used for this web page request is illustrated at the bottom of FIG. 31A comprising Layer-3 IP header 529, Layer-4 transport header 530, and IP packet payload 536. Within Layer-3 IP header 529, source IP address 531 has a numeric value “IP address B”, and destination IP address 532 has a value “IP address A”. Within Layer-4 transport header 530, source port 533 has a numeric value of port # “9,999”, and destination port 534 has a numeric value of port # “80”. IP packet payload 536 contains payload (data) field 535 comprising Layer 5 through Layer 7 application data.
FIG. 31B illustrates the reply for the client's request for services. As shown, all the directions of the arrows are reversed and all source and destination IP addresses and port #s are swapped from the prior illustration. In the exchange, an IP datagram containing an Layer-3 IP header 537 is sent from a source IP address 531 having a numeric value “IP address A” to a destination IP address 532 having a numeric value “IP address B”. Encapsulated within the Layer-3 datagram, a Layer-4 transport header 538 includes source port 533 having a numeric value of port # “80” and a destination port 534 having a numeric value of port # “9,999”. Embedded within IP packet payload 539, the response to the services request is payload (data) 536 which may contain HTML code for creating a web page.
So while some port #s are open and assigned as needed at the election of the server, others are reserved for use in UDP packets, for TCP packets or for both. A list of common official reserved port #s is listed in FIG. 31C including the well-known port 80 for HTTP web browsing using TCP only, port 20 for file transfers, telnet at port 23, POP3 email for TCP only at port 110, IMAP3 email on port 220, and a variety of secure versions such as HTTPS, IMAPS, FTP over TSL/SSL, etc. Recently however, it was revealed that SSL security, the intrinsic transport layer security method, is vulnerable to certain kinds of attacks, as described in one of the headlines at the beginning of this application. Port 7, used for Layer-4 echo and ping functions, has been largely superseded by the Layer-3 ICMP function.
The table in FIG. 31D illustrates ranges of port #s and their use. As shown, reserved port #s generally occur in the range of port #s 0 to 1,023 as “system ports” while for port #s above 49,152, the ports are generally open and freely available. In the intermediate range, for port #s between 1,024 and 49,151, large blocks are open and available for dynamic port allocation but some reserved ports are also present. More commonly, large corporations may report their dedicated use of select ports in their software but not register the port #s officially. Regardless, “official” and reserved port #s, while not strictly policed, receive widespread support because companies want to insure interoperability of their systems and software with the Internet and other businesses.
Ports are also used to facilitate “firewalls”, preventing or at least inhibiting unauthorized access to a computer, server, or device for a particular service. For example, any server located on an intranet, i.e. on a private network located behind a NAT or protected by a dedicated network security box, can be limited to specific types of service requests initiated from the Internet. For example, the firewall may be set to block port 80 requests, disabling HTTP service requests and preventing web page downloads from the Internet. Alternatively the firewall can be set to allow only port 25 service requests from the Internet, with no other ports are enabled. In such a cases, the firewall allows simple mail transfer protocol or SMTP service requests, enabling emailing from the intranet to and from the Internet, but blocks all other types of transactions. The problem with such strict firewall measures is the added security blocks many valid transactions, preventing employees and vendors in the field from accessing important information needed to perform their job.
Another use of ports is to assist in delaying the date for port exhaustion in IPv4 IP addresses. Rather than assigning everyone multiple dedicated IP addresses for each personal device, Internet service providers or ISPs such as cable providers, public WiFi operators, cell phone carriers, and other have the ability to recycle Internet IP addresses dynamically and to employ private IP addresses to communicate between their internet gateway and their private clients. In this manner, a single Internet IP address can serve up to 65,534 users for a Class B subnet or 254 users for a Class C subnet, provided that the upstream connection bandwidth is sufficiently fast to support the traffic.
The device that performs this one-IP-address to many-IP-address bidirectional conversion and communication is referred to as a “network address translator” or NAT. Shown in FIG. 32A, NAT 550 comprises an IP address & port # translation block 554 and two communication stacks comprising Internet connected communication stack 553A and Class C subnet communication stack 553B. Internet connected communication stack 553A connects to all other Internet connected devices such as server 22A, router 27, and web server 511 through public network 531. At the transport Layer 4, communication stack 553A manages concurrent communications with multiple devices such as 557A and 557B. In the example shown, non-public network 552 connects various home devices such as notebook 35, refrigerator 34, desktop 35, and home WiFi router 62A to Class C subnet communication stack 553B. In the private network, the Layer 4 transport protocols manage the communication between communication stack 553B and the network-connected devices, e.g. Layer 4 connections 556A and 556B. In supporting information exchange between the private and public networks, IP address and port translation block 554 dynamically constructs an ad hoc translation table 555 to map each private network packet transmission to the public network and vice versa.
Operation of a NAT is illustrated in FIG. 32B where desktop 36 and notebook 35 connected to a private network “behind the NAT’ attempt to simultaneously communicate with Internet connected web server 21A and email server 27 through only a single Internet connected public IP address. In the example shown, notebook 35 has an IP address designated here as “NB” and dynamic port assignment, desktop 36 has an IP address designated here as “DT” and dynamic port assignment, web server 21A has an IP address designated here as “S1” and uses port 80 for HTTP based web page services, and email server 27 has an IP address designated here as “S2” and uses port 110 for IMAP based email services. On the Internet, NAT 550 has a public IP address “N” and uses dynamic port assignment.
In operation, notebook 35 initiates a web page request by IP packet 560A from source IP address “NB” and arbitrary port #9999 to web server 21A at destination IP address S1 and port #80. Concurrently, desktop 36 initiates an email request by IP packet 561A from source IP address “DT” and arbitrary port #10200 to email server 27 at destination IP address S2 and port #110. Upon receiving these requests, NAT 550 maps the incoming messages to an outgoing Internet connection, mapping the address translation in translation table 555. The NAT then forwards the request from notebook 35 by retaining the destination IP address S1 and port number 9999 but swapping the source information from notebook 35 to NAT 550 with a translated source IP address of “N” and a source port #20000 to create Internet IP packet 560B.
In a similar manner NAT 550 translates the request from desktop 36 to email server 27 by retaining the destination IP address S2 and port number 9999 but swapping the source information from desktop 36 to NAT 550 with a translated source IP address of “N” and a source port #20400 to create Internet IP packet 561B. In this way, web server 21A and email server 27 both think they are communicating with NAT 550 and have no idea about any request coming from notebook 35 and desktop 36. In fact the IP addresses used by devices like addresses “NB” or “DT” connected on the NAT subnet are not valid addresses on the Internet and cannot be connected directly without the intervention of NAT 550.
Once web server 21A receives requesting IP packet 560B, it replies by sending HTML code for constructing a web page, routed by IP package 560C from source IP address “S1” and port “80” to a destination IP address “N” and port #20000. By referring to translation table 555, the NAT knows that replies to port #20000 correspond the request from notebook 35, and forwards the message by swapping its destination IP address and port # to the notebook's, namely IP address “NB” and port #9999 to create response IP packet 560D.
In parallel to this transaction, upon receiving the IP packet 560B request from NAT 550, email server 27 replies sending IMAP code containing email, routed by IP package 561C from source IP address “S2” and port #110 to a destination IP address “N” and port if 20400. By referring to translation table 555, the NAT knows that replies to port #20400 correspond the request from desktop 36, and forwards the message by swapping its destination IP address and port # to the desktop's, namely IP address “DT” and port #10200 to create response IP packet 561D. In this manner, multiple users can separately address multiple Internet connected devices and sites through a single IP address.
Other Layer 4 Transport Protocols—
Aside from TCP and UDP, there is a general lack of consensus as to whether other common transport protocols operate as unique and independent Layer 4 protocols, if they operate as Layer-4 supersets of TCP and UDP, or if they are simply upper layer application programs running atop of UDP and TCP.
One such protocol, “datagram congestion control protocol” or DCCP is a message-oriented transport layer protocol for managing congestion control useful for applications with timing constraints on the delivery of data such as streaming media and multiplayer online games, but lacks sequencing for out of order packets available in TCP. While it may be employed on a standalone basis, another application of DCCP is to provide congestion control features for UDP based applications. In addition to carrying data traffic, DCCP contains acknowledge traffic informing the sender when a packet has arrived and whether they were tagged by an “explicit congestion notification” or ECN.
Another attempt to manage the timely delivery of packets, specifically text, is LCM or “lightweight communication and marshaling” based on the multicast option of UDP. In contrast to UDP unicast, one advantage of UDP multicast is that multiple applications behave consistently on a single host or spread across multiple platforms. Aside from seeking to minimize network latency, other Layer 4 protocols are used for “tunneling” data to create virtual private networks or VPNs, operating on and across the Internet. One such UDP based protocol is generic routing encapsulation or GRE, point-to-point tunneling protocol or PPTP, secure socket tunneling mechanism or SSTM, secure shell or SSH, and others. Some VPN implementations meant to improve security however actually increase network latency.
Aside from the aforementioned standardized Layer 4 transport protocols of UDP and TCP, it is unclear what the adoption rate of proprietary protocols are and what tradeoffs they make in ensuring low latency at the expense of IP packet corruption, or ensuring security at the expense of increased latency.
OSI Layers 5, 6, and 7—Application Layers
While the port # identifies the type of service requested, the application must understand the nature of the data encapsulated as a Layer 4 payload. Taking action based on the contents of the delivered package is the role of the upper OSI application layers, Layers 5, 6, and 7. The interconnection of multiple devices at an application layer is illustrated graphically in the block diagram of FIG. 33 where three devices 570A, 570B and 570C each with separate computing and data storage capability 573A, 573B and 573C are connected by corresponding communication stacks 572A, 572B and 572C sharing application layer connectivity 571. In reality the devices include connections at all the OSI layers, but for simplicity's sake only the application layer connection is shown.
Aside from connection to a packet-switched network, the main rule for devices to establish communication at the application layers is the same or compatible application must exist on all the communicating devices. For example, a banking program cannot understand a video game program, a CAD program cannot interpret HD video streaming, a music player cannot perform stock market trades, and so on. While many application programs are custom or proprietary to one company or vendor, several applications and services are ubiquitous, and in some cases even governmentally mandated to operate in an open source environment. For example, when Microsoft tried to link its Outlook mail server explicitly and exclusively to Microsoft Windows, courts in the European Union ruled such actions violated anti-trust laws and forced Microsoft to release its mail application as a standalone program with well-defined connections to the operating environment in which it operates. Soon thereafter, numerous competing mail programs emerged on multiple computing platforms using Microsoft's mail protocols and features.
The distinction between application Layers 5, 6, and 7 are subtle. As a consequence many people refer to the layers collectively in the 7-layer OSI model as “application layers”, “upper layers” or even just as Layer 7. In the latter interpretation, Layer 7 is viewed as the true application, and Layers 5 and 6 are considered as layers used to service it, similar to subroutine calls in a computer program. To make matters even more confusing, an alternative five-layer description of packet-switched networks competing with the 7-layer OSI model merges all three application layers into one layer, referred to as layer 5, but closer in construction to Layer 7 in the OSI model.
Session Layer 5—
In the 7-layer OSI model, Layer 5 is called the “session layer”, coordinating dialogues between and among applications, including managing full-duplex, half-duplex, or simplex communication, as well as providing checkpointing, recovery, and graceful termination of TCP sessions. It also establishes, manages and terminates the connections for remote applications explicitly in application environments that use “remote procedure calls” or RPC. Layer 5 also deals with managing cross-application sessions when one-application requests access to another application's process, e.g., importing a chart from Excel into PowerPoint. Another Layer 5 application, “socket secure” or SOCKS, is an Internet protocol used for routing IP packets between a server and client through a proxy server and to perform “authentication” to restrict server access to only authorized users. Relying on user identity to confer or deny access and privileges, SOCKS security is therefore only as robust as the authentication processes employed.
In operation, SOCKS acts as a proxy, routing TCP connections through an arbitrary IP address and providing forwarding service for UDP packets. In cases where a client is blocked from server access by a firewall, using SOCKS the client may contact the SOCKS proxy the client's network requesting the connection the client wishes to make to contact the server. Once accepted by the server, the SOCKS proxy opens a connection through the firewall and facilitates communication between the server and the client as though the firewall is nonexistent. Operating at a lower layer than HTTP based proxies, SOCKS uses a handshake method to inform the proxy software about the connection that the client is trying to make without interpreting or rewriting packet headers. Once the connection is made, SOCKS operates transparently to the network users. A newer version of SOCKS, referred to as SOCKS4, enhanced the software so clients may specify a destination domain name rather than requiring an IP address.
Being no more robust than the authentication process used to identify an authorized user, SOCKS may be converted by hackers and criminals into a means to defeat firewall security measures. To combat this exposure, SOCKS5 was developed to offer a greater number of choices for authentication, as well as to add support for UDP forwarding using DNS lookups. SOCKS5 was also updated to support both IPv4 and IPv6 IP addresses. During handshaking and session negotiation, both client and server identify by number the methods available for authentication, namely:
0x00: No authentication
0x01: GSSAPI methods
0x02: Username/password
0x03-0x7F: IANA assigned methods
0x80-0xFE: methods reserved for private use
After negotiation is completed and an authentication method is selected, communication may commence. The simplest authentication procedure Username/password has been proven to be intrinsically unsecure and easy broken, especially in four character PIN type passwords. As an alternative “generic security service application program interface” or GSSAPI is not by itself a security method but an IETF standardized interface calling on a software library containing security code and authentication methods, mostly written by security security-service vendors. Using GSSAPI, users can change their security methods without the need to rewrite any application code. The procedure calls include obtaining the user's identity proof or secret cryptographic key, generating a client token or challenge to send to the server and receiving a response token, converting application data into a secure or encrypted message token and restoring it, etc. Alternatively, “Internet assigned numbers authority” or IANA, a division of the non-profit ICANN, i.e. “Internet corporation for assigned names and numbers,” has assigned certain methods under its charter to ensure network stability and security.
Presentation Layer 6—
Layer 6 manages the syntactic representation of data and objects including maintaining agreement on character coding, audio, video, and graphical formats. In essence, the presentation layer, sometimes called the syntax layer, prepares or translates files and embedded objects into a form usable by a given application and “presents” the data to the application Layer 7. For example, if a graphical object is received in a format not comprehendible by a given application, presentation layer software, whenever possible converts or transforms the format to be acceptable for a given application. Conversely, Layer 6 may convert proprietary formatted objects into standard formats and encapsulate them before passing them down to the session Layer 5. In this manner, Layer 6 establishes a syntactic context between dissimilar applications for moving data up and down the communication and protocol stack. For example, a graphic created in Adobe Illustrator or AutoCAD may be imported and embedded into a PowerPoint presentation or into a HTTP based email document.
Layer 6 is also responsible for encryption, i.e. formatting and encrypting data before sending across a network, and conversely decrypting data and reformatting it before presenting it to the application layer. For example, upon receiving a tab-delineated data file sent in an encrypted format over the Internet, Layer 6, once it has decrypted the file according to negotiated decryption keys, can reformat the data for importation into a row-column based spreadsheet, e.g. Excel, or a relational data base such as Oracle. To enhance security, encryption and decryption by Layer 6 can be restricted to authorized senders and recipients whose identity is confirmed a priori via a Layer 5 authentication procedure. The security of such communiqués is no better than the encryption used to obscure the data file and the authentication process used to confirm a user's right to access the data file.
While presentation layer software can be developed on a full custom basis for a specific device or operating system, for transportability and interoperability the code may be constructed by employing basic encoding rules of “abstract syntax notation, version 1” or ASN.1, including capabilities such as converting an EBCDIC-coded text file to an ASCII-coded file, or serializing objects and other data structures from and to XML. As a Layer 5 presentation protocol, ASN.1 maps structured data to specific encoding rules, e.g. transforming an integer into a bit string to be transmitted and likewise decodes the bit string using “XML encoding rules” also known as XER. Examples of various formats covered by Layer 6 operations include:                Text including ASCII and EBCDIC formats        Graphics including PNG, JPG, GIF, BMP, EPS        Sound and video including MP4, WMV, MOV, AVI, MIDI        Documents including PDF, DOC, PPT, HTML, XML, MIME, compression (e.g. ZIP)        Streaming including RTP, RTSP, RTMP        Encryption including TLS/SSL, SSH        
Application Layer 7—
In the seven-layer OSI model, Layer 7, the “application” layer facilitates the interface between a user, client, or device with a host, server, or system. Because the applications layer is closest to the user, it facilitates the interface between the user and host. In the case where the user is human and the host is an electronic device such as a cell phone or computer, this interface is facilitated through keystrokes, touch or gestures using a keyboard or touch screen or sometimes through voice. Touchscreen interfaces, originally referred to as GUIs, or graphical user interface, has largely given way to the term UI/UX meaning user-interface/user-experience, an interface design based on studying human-machine interaction. In machine-to-machine or M2M and machine-to-infrastructure or M2X, the human interface is replaced by dissimilar hardware devices speaking different machine languages.
Regardless of these differences, the application layer must allow human and machine or multiple machines to talk to one another in a recognizable form. Since the OSI model deals with the communication and protocol stack, these interfaces fall outside the scope of the OSI model but still play an important role in negotiating a conversation including identifying communication partners, determining resource availability, and synchronizing communication. When identifying communication partners, Layer 7 must determine if another party has the right software installed, is allowed to communicate, and carries the right credentials.
In some cases, it may require Level 5 to first authenticate the other party's identity before initiating any data exchange. This confirmation can be performed at the time of the information exchange request, or negotiated a priori through a process of bonding, or using AAA validation, a three step procedure meaning authentication, authorization, and administration. In communication applications such a cell phones using VoIP, the application software must also test to confirm in the network is available and sufficiently stable to place a call, i.e. to establish a sequence of IP packets sent and received with acceptably small latency to support a conversation with acceptable QoS levels. In synchronizing communication, all communication between applications requires cooperation that is managed by the application layer.
Some examples of application-layer implementations include terminal emulation, email services, network management, web browsers, file management, backup and cloud storage services, peripheral drivers comprising:                File management including FTP, FTAM, SFTP, NNTP, IRC, SIP, ZIP        Web browsers including HTTP (e.g. Safari, Firefox, Chrome, Outlook, Netscape, etc.)        Email services including SMTP, IMAP, POP3 along with Microsoft Outlook, Apple Mail, Google Gmail, Yahoo, Hotmail, etc.        Communication and broadcast services including SIP, NNTP, IRC and “over-the-top” or OTT custom implementations        Network management including DNS, SNMP, DHCP, SNMP, BGP, LDAP, CMIP        Terminal emulation including Telnet        Backup and cloud storage services including NFS and commercial versions Android, iOS, Apple Time Machine, Apple iCloud, Carbonite, Barracuda, Dropbox, Google Drive, Microsoft One Drive, Box        Peripheral drivers including printer, scanner, camera, flashcards        Security applications such as Symantec, Norton, AVGFor computer and smartphone applications, example the most common applications as underlined, comprise file transfers, hypertext transfers for web browsing, email services, and DNS lookups for converting domain names into IP addresses. Because of their ubiquity, these generic applications have dedicated ports assigned for such services.        
File Management Applications—
One common Level 7 application, the file transfer program or FTP, used for sending files or downloading data. The files, once downloaded, are “written” into a nonvolatile storage drive for later use. If the files includes executable code, the download and install program together with the device's operating system open and install the software into the apps directory on the computer or mobile device.
This process is illustrated in FIG. 34, where notebook 35 having a numeric IP address “NB” and dynamic port assignment requests a file from file server 21A by sending IP packet 580 as an FTP request using TCP transport, to port #21, the FTP control port of the file server. The resulting IP packet 580 includes destination IP address “S1”, the destination port #21, along with its source IP address “NB”, and its ad hoc port #9999. Since port #21 represents the control port for requesting file transfer services, file server 21A knows that notebook 35 is requesting a file and expects login information to confirm the packet's destination IP address and port number.
In an active FTP session, notebook 35 then sends the destination address and destination port # for the requested file, analogous to providing wiring instructions for a bank wire transfer comprising a SWIFT code and an account number. The resulting IP packet 581 includes the notebook's IP address “NB” and its port #9999 as the source info, and the server's IP address “S1” as the destination. The destination port # of the packet is changed to port #20 to negotiate the FTP data channel separate from the command connection.
In response, file server 21A then opens the IP packet's payload to determine the file name and optionally the file path being requested, and after locating file 583, encapsulates it into a responsive IP packet 582 and sends the packet back through the data to notebook 35 by swapping the IP addresses and ports, i.e. where the destination becomes IP address “N B” at port #9999, and the source becomes IP address “S1” and port #20. Like the previous two transactions, the IP packet uses TCP as its transport mechanism.
Once notebook 35 receives the file, it is extracted from the payload of packet 582 and possibly converted using presentation Layer 6 into the data file 583 for storage or for uploading into the notebook's operating system 585. If so, the program or another program, a utility in the operating system, uploads 583 the executable code of file 583 to create application program 586.
Two issues persist with the original implementation of an active FTP file transfer. Firstly, since FTP command port #21 is an open standard, hackers frequently use it to attempt to fake their identity and download unauthorized files, or otherwise to cause denial of service attacks which jams the device from being able to operate. The other issue with an active FTP transfer is IP packet 582 sent from the file server may become blocked by a NAT or firewall, intercepting its delivery to notebook 35. A variant of this procedure, called passive FTP can circumvent the firewall issue but now most NAT routers are FTP aware and support file transfers with proper credentials or authentication.
In addition to FTP services available on port #20, or alternatively “secure file transfer protocol” also known as SSH file transfer protocol. The transfer utilizes the secure shell or SSH port #22, the same one used for secure logins and secure-port-forwarding. Alternative file transfer applications include the less adopted “file transfer access and management” or FTAM, and data compression using ZIP and other algorithms.
Web Browsers & Web Servers—
Another broad class of Layer 7 applications comprises programs that use a specialized formatting technique called “hypertext”. These applications include “web servers” that store hypertext documents; “web browsers” who read and display them; and a specialized communication transfer protocol with dedicated registered port assignments to facilitate rapid access. A key component, the web browser is a graphically oriented communication program designed to download and display hypertext documents from the Internet, intranet or other packet-switched networks. A browser's network companion, the web server, is a high-speed computer used to distribute hypertext documents to browsers requesting access to their files. Hypertext may also be used to display emails with embedded formatting not available from simple email viewers.
In operation, browsers do not establish direct connection with other browsers but instead exchange information through intermediaries comprising one or more web servers accessible by both. To publish a document, a user simply “posts” the document or image to a “web page” hosted on any server connected to the Internet or any other private or public network or cloud. The user posting the document decides who has access to the posted files and whether or not they have read-only or editing privileges. The web server hosting the documents may be owned or managed by the document's publisher, or may represent a disinterested party uninvolved in the posted content and web page design.
Hypertext-based documents utilize a specialized document format language called HTML or “hypertext markup language” to display textual, graphical and video content in manner that is dynamically adjusted to best fit the window it will be displayed in. The function of HTML is to download the material to be displayed and to dynamically format it on a page-by-page basis. Each page may contain both static and dynamically sized fields with text loaded from hard-coded software or downloaded from a file or database. Although more complicated to design and write, the advantage of using a database for HTML page content is that the database can be updated often or regularly and the web page will automatically adjust. Otherwise, every web page must be redesigned as content changes. HTML also specifies the location of objects including fixed location footers, headers, sidebars, and fields, as well as floating objects that text dynamically wraps around.
The objects themselves can represent static graphical objects or photos, animated graphics, flash videos, audio files, videos and HD movies, and more. Like text, the formatting may be hard coded or dynamically linked. Linked objects may be translated using Presentation Layer 5 functions from one format or object type into another dynamically. For example, a predefined field within a spreadsheet may be converted into a static snapshot or graphic at the time the page is drawn. Other objects may also comprise live links to other servers and webs sites and when clicked may transfer information about the web page viewer's computer, personal and contact information, or preferences and interests, with or without prior approval of the viewer. In essence, clicking a link is considered a tacit approval of the terms and conditions of the host of the linked web page. For example, clicking on a banner ad for a new car may send information to a database for people interested in buying new cars, and result in unwanted “spam” email for new car promotions being sent to the viewer's personal email. On dynamic web pages, the content of the banner advertising fields may from that time on, automatically start to display automotive advertising—all based on one single action of a viewer's clicking a link and viewing an advertisement. Internet marketing companies sell such information about users to merchants and advertisers even without knowing whether their collection of a viewer's behavior is real or unintentional.
Importantly, in hypertext-based documents, much of the text and almost all the objects used to construct a requested web page are not included in the initial HTML download of a web page but instead are loaded after the initial HTML page is. The documents and objects are not loaded using the aforementioned FTP protocol, but instead utilize a more dynamic process referred to as HTTP or “hypertext transfer protocol”. HTTP represents an application and a data format operating at the presentation Layer 6 and servicing Layer 7 applications such as web browsers.
At Layer 4, the transport layer, HTTP operates on its own reserved port # for web access, specifically port #80. Because port #80 is often authorized and unblocked by firewalls or security software, like FTP port 21, port 80 is a favorite target for hackers wishing to gain unauthorized documents or access, or to launch “denial-of-service” attacks, a malicious attack on a server to prevent it from supporting normal functions by forcing it to service meaningless FTP or HTTP requests from a hacker or adversary.
The procedure for downloading a web page via HTTP is illustrated in FIG. 35A where notebook 35, having an IP address “NB” and an ad hoc port #9999, requests an HTML document from web server 21A at an IP address “S1” using IP packet 590. To request a web page, IP packet 590 specifies port #80 of the web server. In response, web server 21A then attaches an HTML payload and return IP packet 591 by swapping the addresses and port #s from that of packet 591, namely where the source is now port i#80 at IP address 9999 and the destination is now port #9999 at IP address “NB”. The HTML data is carried using a TCP based connection to insure high payload reliability.
After receiving the HTML code, the browser in notebook reads the HTML file and identifies one-by-one the IP calls to download content into the web page. In the example shown, the first call for graphics is to download content from the same web server 21A as the first download, so notebook 35 prepares IP packet 592 again to destination IP address “S1” and port #80. Because the notebook's port is assigned dynamically, the source of IP packet 592 changes to ad hoc port #10001 but remains from IP address “NB”. As a response web server 21A encapsulates JPEGs into the payload of IP packet 593, swapping the source and destination addresses so that the source is port #80 from IP address “S i” with a destination of port 10001 at IP address “NB”. Upon receiving IP packet 593, the browser in notebook unwraps the payload, converts the graphics format using presentation Layer 6 into a browser compatible format, then sizes and installs the pictures into the browser page, i.e. the Layer 7 application.
As illustrated, the next object download request in the HTML page is not from web server S1 but from a completely different server, specifically media server 511 having an IP address “S5”. As such the web browser in notebook 35 prepares IP packet 594 as another HTTP request to destination port #80, this time at destination IP address “S5”. While the source IP address remains “S1”, with dynamic port assignment, the source port # again changes, this time to port #10020. In response, media server 511 prepares IP packet 595 from a source having its IP address “S5” and port address 80, to the notebook's most recent IP address “NB” and port #10030. The attached payload encapsulated in IP packet 595 contains MPEGs. Once received, presentation Layer 6 prepares the files, delivers them to application Layer 7, where the browser application installs them, and continues reading the HTML code and assembling the web page until it is complete.
So using HTML, the content of a web page is not constructed from a single download like a file sent using FTP, but is built using a succession of calls to different servers each delivering specific content. This concept is illustrated graphically in FIG. 35B, where HTML generated page 591, text and JPEG 593 are downloaded from port #80 of web server “S1”, MPEG video 595 is downloaded from port #80 of media server 511, and PNG photo 596 and JPEG 597 come from port 80 of file server 27. In this manner a web page is built from multiple sources. Aside from the HTML code requesting the various textual, graphical and audio-video elements, there is no central command or control in charge of creating the document. If for example, one server exhibits a slow response because of its own loading of from traffic congestion, the painting of web page 591 may hang, stopping for some time before it is completed. This interruption may have nothing to do with the host of the web page, for example Yahoo, but instead may be caused from the linked servers called by the HTML web pages, e.g. from CNN or Fox news servers.
One risk of HTML web pages is the opportunity for hackers and malware to gather information about a user, specifically if a link is redirected to a pirate site phishing for personal information under the auspices of being a valid ethical business in sincere need of a user's home address, credit card number, PIN, social security number, etc.
The World Wide Web—
One extremely popular, if not universal, application of HTML is web browsing for documents available over the World Wide Web, specifically web addresses reached by typing an address into a browser starting with the letters “www”. In operation, each time a user types a web address, also known as a “uniform resource locator” or URL into a browser's address bar, e.g. “http://www.yahoo.com”, the browser sends out an inquiry to the router located immediately above it to determine the targeted IP address. This process, illustrated previously in FIG. 3, comprises notebook 60 sending an IP packet to router 62A with a port #53 request, the port number identifying a services request for DNS lookup. Router 62A forwards the DNS request to domain name server router 62A, which in turn supplies the numeric IP address of the targeted domain. If, for example, server 66A is the Yahoo web server with a numeric IP address “S11”, then DNS server 71 will return that IP address to router 62A, and the IP packet is constructed with an IP address “S11” and a web page destination port #80.
It should be noted while many documents are accessible over the World Wide Web, not all Internet documents are posted on the web. Some web pages, for example, while accessible over public networks, do not use the www prefix, primarily to discourage hackers from searching for them. Other web servers utilize private networks or intranets hidden behind a firewall, and are accessible only from behind the firewall or through access using an encrypted pipe or tunnel known as a “virtual private network” or VPN. To understand the unique property of the World Wide Web, it is important to understand its development and evolution, responsible both for its benefits and strength as well as for its deficiencies and vulnerabilities.
Historically, prior to the invention of the World Wide Web and the browser, communication over the Internet primarily relied on email and on file transfers using the FTP protocol. Then in 1989, Tim Berners-Lee demonstrated the first successful Internet communication between a client and server using “hypertext transfer protocol” or HTTP. Thereafter, at the National Center for Supercomputing Applications at the University of Illinois Urbana-Champaign, Marc Andreesen developed the first full-featured browser named Mosaic, renowned for its pioneering intuitive interface, support of multiple Internet protocols, compatibility with Macintosh and Microsoft Windows environments, backward compatible support of earlier protocols such as FTP, NNTP, and gopher, as well as easy installation, robust stability, and good reliability. Of key significance, Mosaic was the first browser to display images and text together on one page rather than opening graphics in a separate window.
Mosaic was quickly commercialized into Netscape Navigator, and in many respects responsible for fueling the Internet revolution and the widespread use of web sites for personal and business applications. While countless browsers exist today, Firefox, a direct descendant of Mosaic and Netscape, as well as Microsoft Explorer, Apple Safari, and Google Chrome represent the most widely used browsers today. Another class of application, the web search engine, concurrently emerged to facilitate searching for documents and content on the World Wide Web. Search engines such as Google and Yahoo Search dominate the market today.
As businesses flocked to the Internet, e-commerce was born with web-based sales and purchases emerging on generic sites such as Amazon, eBay, Barnes & Noble, Best Buy, and recently Alibaba. Market fragmentation soon ensued with vendors specializing on a specific type of product or service, rather than offering a generic e-commerce web site. For example, commercial merchants based on comparative shopping for travel and transportation such as Priceline, Expedia, Orbitz, and Sabre quickly appeared along with the airlines' own dedicated e-marketplaces. For users wishing to download “content” comprising music, video, e-books, games, and software, providers such as Apple's iTunes and AppStore, Walmart, Amazon MP3, Google Play, Sony Unlimited Music, Kindle Fire, and Windows Store offer online services. Audio and video streaming services such as iTunes, Google Play, Netflix, Hulu Plus, Amazon Prime, along with iHeart radio and cable providers such as Comcast Xfinity are now becoming increasingly popular, especially with WiFi services being offered in airplanes, busses, limos and in terminals and coffee shops globally.
Despite concerns over privacy and security, children and younger generation adults today post a tremendous amount of personal information on public websites. Called “social media”, the industry started with web sites supporting convenient publication, updates, and editing of documents where individuals posted their personal opinions and experiences chronologically on web logs or “blogs”. YouTube then enabled aspiring artists with the ability to post and distribute homemade videos. Facebook expanded on this trend, offering blog features chronologically merged with photo and video postings in an interactive format where viewers of your “home page” post comments including when they “like” something they read or saw. Facebook also expanded on contact management, searching people's contact lists for friends to add into Facebook, and allowing the account owner to “friend” someone by requesting access to their home page or ignore them. By reaching into people's personal contact managers, the number of Facebook users grew exponentially, enabling people with out-of-date contact info to rediscover one another over social media. The same social media methods were then adapted for dating, matchmaking or obtaining sexual services (legal or illegal), and in the professional world for contact industry peers, e.g. using LinkedIn.
Based on the same open-source philosophy as the Internet and OSI packet-switched networks, the World Wide Web lacks any central command or control and as such remains unregulated, making it difficult for any government or regulating agency to control, limit, or censor its content. Moreover, by publishing personal information, it has become easier for criminals to “case” a target harvesting their public information in order to better guess their passwords, watch their activities, and even track their whereabouts using GPS and transaction information. In some instances, e.g. on an open source contact and referral service called Craig's List, sexual predators and murderers disguised their identity and intentions in order to recruit victims of their perverse crimes. Aside from criminals and hackers using the World Wide Web and social media to monitor their targets, recent news revelations have shown that governments too track and monitor citizens' emails, voice calls, web sites, blogs, and even daily movements, without probable cause or a warrant approving them to do so. One argument used to justify such intrusions is that information freely distributed on a public site or over a public network is “fair game” and that the need to preemptively prevent crime and terrorism before it happens, much like “future-crime” in the popular movie “Minority Report”, is in itself justification for such aggressive surveillance and spying.
As a reaction to identity theft and to such unwanted governmental intrusions, consumers are migrating to sites like Snapchat and phone services reporting enhanced security and privacy requiring confirmation or “authentication” of the other party as someone you know and trust. Such “trust zones” as they are now referred to, still however depend on security methods available for packet-switched communication networks. As evidenced from the opening section of this application, these networks, communication protocols, web sites, and data storage are not, however, secure, otherwise there would not be so many reported cases of cybercrime in the press today.
Email Applications—
One of the most common and oldest applications over packet-switched networks is electronic mail or “email”. This process is illustrated in FIG. 36, where notebook 35 having a numeric IP address “NB” and dynamic port assignment uploads email IP packet 601 to email server 600. In addition to its encapsulated SMTP email payload, TCP-based email IP packet 601 includes its destination IP address “S9”, its destination port #21 or alternatively port #465, along with its source IP address “NB”, and its ad hoc port #10500. While port #21 represent email services using simple mail transfer protocol or SMPT, port #465 represents its “secure” version SMTPS based on SSL technology. Recent news has reported, however, that SSL has been found to be breakable and not completely immune to hackers.
In response to receiving email IP packet 601, email server 600 acknowledges its reception by returning IP packet 602 containing SMTP confirmation sent to a destination IP address “NB” at port 10500 from email server 600 at source IP address “S9” using port #21 or using SSL port #46. Meanwhile, email server 600 concurrently pushes the email as an IMAP message in IP packet 605 from source IP address “S9” and IMAP port #220 to desktop 36 at destination IP address “DT” and ad hoc port #12000. Upon receiving the email message, desktop 36 confirms the IMAP message to email server 600 with IP packet 604 from source IP address “DT” at port #12000 to destination IP address “S9” and port 220. As such, email delivery involves a three-party transaction involving the sender from notebook 35, the email server 600, and the recipient at desktop 36. In the communication, the sender utilizes a SMTP protocol and the message recipient utilizes the IMAP protocol to confirm the message. The IMAP exchange updates the database on the server and on the desktop to insure their file records match. Because the email server acts as an intermediary, there is an opportunity to intercept the communiqué either by intercepting notebook to server IP packet 601 or server to desktop IP packet 605 or by hacking the file itself stored on email server 600. Alternatively, “plain old post-office” or POP3 applications can also be employed for mail delivery but without file server synchronization.
Other Layer-7 Applications—
Aside from file management, web browsers, DNS servers, and email functions, numerous other applications exist, including terminal emulation using Telnet, network management, peripheral drivers, backup utilities, security programs, along with communication and broadcast applications. For example backup applications include the TCP-based “network file system” or NFS, now in its fourth incarnation, as well as commercial backup software including custom versions for Android, iOS, Apple Time Machine, Apple iCloud, Carbonite, Barracuda, Dropbox, Google Drive, Microsoft One Drive, Box. In operation, cloud storage stores data on a network-connected drive in a manner similar to an email server. The data may be retrieved by the file owner, or if privileges allow, by a third party. Like email transactions, numerous opportunities exist to hack the data during transport and when stored on the server.
Communications and broadcast applications include “session initiation protocol” or SIP, a signaling protocol widely used for controlling multimedia corns sessions such as voice and VoIP, “Internet relay chat” or IRC, an application layer protocol for transferring messages in the form of text, as well as “network news transfer protocol” of NNTP, an application protocol used for transporting news articles between news servers and for posting articles. “Over-the-top” or OTT carriers such as Skype, Line, KakaoTalk, Viper, WhatsApp, and others utilize customized applications to deliver text, pictures, and voice over the Internet using VoIP.
Other applications include customized peripheral drivers for printers, scanners, cameras, etc. Network applications include “simple network management protocol” or SNMP, an Internet-standard protocol for managing devices on IP networks including routers, switches, modern arrays, and servers, “border gateway protocol” or BGP applications as standardized exterior gateways to exchange routing and reachability information between autonomous Internet systems, and “lightweight directory access protocol” or LDAP for managing directories by allowing the sharing of information about services, users, systems, networks, and applications available throughout private networks and intranets. One feature of LDAP-connected applications is that a single login provides access to multiple devices connected over a single intranet. Other network applications include CM IP, or the “common management information protocol”.
Another important network application is DHCP or “dynamic host configuration protocol”. DHCP is used for requesting IP addresses from a network server ranging from home networks and WiFi routers to corporate networks, campus networks, and regions ISPs, i.e. Internet service providers. DHCP is used for both IPv4 and IPv6.
Quality of Service
When considering the performance of a network, several factors are considered namely,
Data rate, i.e. bandwidth
Quality of service
Network and data security
User privacy
Of the above considerations, data rates are easily quantified in millions of bits per second or Mbps. Quality of Service or QoS, on the other the other hand, includes several factors including latency, sound quality, network stability, intermittent operation or frequent service interruptions, synchronization or connection failures, low signal strength, stalled applications, and functional network redundancy during emergency conditions.
For programs, files, and security related verifications, data accuracy is a critical factor. Which factors are important depends on the nature of the payload being carried across a packet-switched network. In contrast, for voice and video comprising real-time applications, factors affecting packet delivery time are key. Quality factors and how they affect various applications such as video, voice, data, and text are illustrated in a qualitative manner in the table shown in FIG. 37. A good network condition typified by consistent high data rate IP packet waveform 610A is one where there are minimal time delays, clear strong signal strength, no signal distortion, stable operation, and no packet transmission loss. Intermittent networks represented by lower data rate packet waveform 610B with occasional intermittencies affect video functions most significantly, causing painfully slow video downloads and making video streaming unacceptable. Congested networks operating a lower effective data throughput rates with regular short duration interruptions exemplified by IP packet waveform 610C not only severely degrade video with jerky intermittent motion, fuzzy pictures, and improper coloring and brightness, but also begin to degrade sound or vocal communication with distortion, echo, and even whole sentences dropped from a conversation or soundtrack. In congested networks, however, data can still be delivered using TCP by repeated requests for rebroadcasts.
Illustrated by IP packet waveform 610D, unstable networks exhibit low data throughput rates with numerous data stoppages of unpredictable durations. Unstable networks also include corrupted IP packages as represented by the darkly shaded packets in waveform 610D, which in TCP based transport must be resent and in UDP transport are simply discarded as corrupt or improper data. At some level of network degradation even emails become intermittent and IMAP fie synchronization fails. Because of their lightweight data format, most SMS and text messages will be delivered, albeit with some delivery delay, even with severe network congestion but attachments will fail to download. In unstable networks every application will fail and can even result in freezing a computer or cellphone's normal operation waiting for an expected file to be delivered. In such cases video freezes, sound become so choppy it becomes unintelligible, VoIP connections drop repeatedly even over a dozen times within a few minute call, and in some cases fails to connect altogether. Likewise, emails stall or freeze with computer icons spinning round and round interminably. Progress bars halt altogether. Even text messages bounce and “undeliverable”.
While many factors can contribute to network instability, including power failures on key servers and super POPs, overloaded call volumes, the transmission of huge data files or UHD movies, and during significant denial of service attacks on select servers or networks, the key factors used to track a network's QoS are its packet drop rate and packet latency. Dropped packets occur when an IP packet cannot be delivered and “times out” as an immortal, or where a router or server detects a checksum error in the IP packet's header. If the packet using UDP, the packet is lost and the Layer 7 application must be smart enough to know something was lost. If TCP is used for Layer 4 transport, the packet will be requested for retransmission, further adding loading to a potentially already overloaded network.
The other factor determining QoS, propagation delay, may be measured quantitatively in several ways, either as an IP packet's delay from node-to-node, or unidirectionally from source to destination, or alternatively as the round-trip delay from source to destination and back to the source. The effects of propagation delay on packet delivery using UDP and TCP transport protocols are contrasted in FIG. 38. As the intermodal network propagation delay increases, the time needed to perform round-trip communication such as in VoIP conversation increases. In the case of UDP transport 621, the round trip delay increases linearly with propagation delay. Since long propagation delays correlate to higher bit error rates, the number of lost UDP packets increases, but because UDP does request the resending of dropped packets, the round trip time remains linear with increased delay. TCP transport 620 shows a substantially longer round trip time for each packet sent than UDP because of the handshaking required to confirm packet delivery. If the bit error rate remains low and most packets do not require resending then TCP propagation delay increases linearly with intermodal propagation delay but at a higher rate, i.e. the line slope of TCP 620. If, however, the communication network becomes unstable as the propagation delay increases, then the round trip time resulting from TCP transport shown by line 622 grows exponentially because of the protocol's need for retransmission of dropped packets. As such. TCP is contraindicated for time sensitive applications such as VoIP and video streaming.
Since all packet communication is statistical, with no two packets having the same propagation time, the best way to estimate the single direction latency of a network is by measuring the round trip time of a large number of similarly sized IP packets and dividing by two to estimate the single-direction latency. Latencies under 100 ms are outstanding, up to 200 ms are considered very good, and up to 300 ms still considered acceptable. For propagation delays of 500 ms, easily encountered by OTT applications running on the Internet, the delays become uncomfortable to users and interfere which normal conversation. In voice communication, in particular such long propagation delays sound “bad” and can result in reverberation, creating a “twangy” or metallic sounding audio, interrupting normal conversation while the other party waits to get your response to their last comment, and possibly resulting in garbled or unintelligible speech.
To be clear, the single-direction latency of a communication is different than the ping test performed by the Layer 3 ICMP utility (such as the free network test at http://www.speedtest.net) in part because ICMP packets are generally lightweight compared to real IP packets, because the ping test does not employ the “request to resend” feature of TCP, and because there is no guarantee over a public network of the Internet, that the ping test's route will match the actual packet route. In essence, when the ping experiences a long delay, something is wrong with the network or some link between the device and the network, e.g. in the WiFi router, or the last mile, but a good ping result by itself cannot guarantee low propagation delay of a real packet.
In order to improve network security, encryption and verification methods are often employed to prevent hacking, sniffing or spying. But heavy encryption and multiple key encryption protocols constantly reconfirming the identity of a conversing parties, create additional delays and in so doing increase the effective network latency, degrading QoS at the expense of improving security.
Cybersecurity and Cyberprivacy
The other two major considerations in communications are that of cybersecurity cyberprivacy. While related, the two issues are somewhat different. “Cybersecurity including network security, computer security and secure communications, comprises methods employed to monitor, intercept, and prevent unauthorized access, misuse, modification, or denial of a computer or communications network, network-accessible resources, or the data contained within network connected devices. Such data may include personal information, biometric data, financial records, health records, private communications and recordings, as well as private photographic images and video recordings. Network-connected devices include cell phones, tablets, notebooks, desktops, file servers, email servers, web servers, data bases, personal data storage, cloud storage, Internet-connected appliances, connected cars, as well as publically shared devices used by an individual such as point-of-sale or POS terminals, gas pumps, ATMs, etc.
Clearly, cybercriminals and computer hackers who attempt to gain unauthorized access to secure information are committing a crime. Should illegally obtained data contain personal private information, the attack is also a violation of the victim's personal privacy. Conversely, however, privacy violations may occur without the need for cybercrime and may in fact be unstoppable. In today's network-connected world, unauthorized use of a person's private information may occur without the need of a security breach. In many cases, companies collecting data for one purpose may choose to sell their data base to other clients interested in using the data for another purpose altogether. Even when Microsoft purchased Hotmail, it was well known that the mail list was sold to advertisers interested in spamming potential clients. Whether such actions should be considered a violation of cyberprivacy remains a matter of opinion.
“Cyberprivacy” including Internet privacy, computer privacy, and private communication involves an individual's personal right or mandate to control their personal and private information and its use, including the collection, storage, displaying or sharing of information with others. Private information may involve personal identity information including height, weight, age, fingerprints, blood type, driver's license number, passport number, social-security number, or any personal information useful to identify an individual even without knowing their name. In the future, even an individual's DNA map may become a matter of legal record. Aside from personal identifying information, non-personal private information may include what brands of clothes we buy, what web sites we frequent, whether we smoke, drink, or own a gun, what kind of car we drive, what diseases we may have contracted in our life, whether our family has a history of certain diseases or ailments, and even what kind of people we are attracted to.
This private information, when combined with public records relating to personal income, taxes, property deeds, criminal records, traffic violations, and any information posted on social media sites, forms a powerful data set for interested parties. The intentional collection of large data sets capturing demographic, personal, financial, biomedical, and behavioral information and mining the data for patterns, trends and statistical correlations today is known as “big data”. The healthcare industry, including insurance companies, healthcare providers, pharmaceutical companies, and even malpractice lawyers, are all intensely interested in personal information stored as big data. Automotive and consumer products companies likewise want access to such databases in order to direct their market strategy and advertising budgets. In recent elections, even politicians have begun to look to big data to better understand voters' opinions and points of political controversy to avoid.
The question of cyberprivacy is not whether big data today captures personal information (it's already standard procedure), but whether the data set retains your name or sufficient personal identity information to identify you even in the absence of knowing your name. For example, originally, the U.S. government stated that the personal information gathered by the healthcare.gov web site used for signing up to the Affordable Care Act would be destroyed once the private medical accounts were set up. Then, in a recent revelation, it was disclosed that a third-party corporation facilitating the data collection for the U.S. government had previously signed a government contract awarding it the right to retain and use the data it collected, meaning that personal private data divulged to the U.S. government is in fact not private.
As a final point, it should be mentioned that surveillance is practiced both by governments and by crime syndicates using similar technological methods. While the criminals clearly have no legal right to gather such data, the case of unauthorized government surveillance is murkier, varying dramatically from country to country. The United States NSA for example has repeatedly applied pressure on Apple, Google, Microsoft and others to provide access to their clouds and databases. Even government officials have had their conversations and communiqués wiretapped and intercepted. When asked if Skype, a division of Microsoft, monitors the content of its callers, the Skype Chief Information Officer abruptly replied “no comment.”
Methods of Cybercrime & Cybersurveillance—
Focusing on the topic of cybersecurity, numerous means exist to gain unauthorized access to device, network and computer data. As an example, FIG. 39 illustrates a variety of malware and hacker technologies used to commit cybercrime and achieve unauthorized intrusions into allegedly secure networks.
For example, an individual using a tablet 33 connected to the Internet may wish to place a call to business office phone 9, send a message to TV 36, call a friend in the country still using a circuit switched POTS network with phone 6, or download files from web storage 20, or send emails through email server 21A. While all of the applications represent normal applications of the Internet and global interconnectivity, many opportunities for surveillance, cybercrime, fraud, and identity theft exist through the entire network.
For example, for tablet 33 connecting to the network through cellular radio antenna 18 and LTE base station 17 or through short-range radio antenna 26 and public WiFi base station 100, an unauthorized intruder can monitor the radio link. Likewise LTE call 28 can be monitored or “sniffed” by an intercepting radio receiver or sniffer 632. The same sniffer 632 can be adjusted to monitor WiFi communications 29 and on the receiving end on cable 105 between cable CMTS 101 and cable modem 103.
In some instances, the LTE call can also be intercepted by a pirate faux-tower 638, establishing a diverted communication path 639 between tablet 38 and cellular tower 18. Communications sent through the packet-switched network to router 27, server 21A and server 21B, and cloud storage 20 are also subject to man in the middle attacks 630. Wiretaps 637 can intercept calls on the POTS line from PSTN gateway 3 to phone 6 and also on the corporate PBX line from PBX server 8 to office phone 9.
Through a series of security breaches, spyware 631 can install itself on tablet 33, on router 27, on PSTN-bridge 3, on cloud storage 20, on cable CMTS 101, or on desktop 36. Trojan horse 634 may install itself on tablet 33 or desktop 36 to phish for passwords. Worm 636 may also be used to attack desktop 36, especially if the computer runs Microsoft operating system with active X capability enabled. Finally, to launch denial of service attacks, virus 633 can attack any number of network-connected devices including servers numbered 21A, 21B and 21C, desktop 36, and tablet 33.
In FIG. 40, the graphic is simplified and displayed as to which portion of the communication network and infrastructure each form of malware operates. In the cloud 22 shown containing server 21A, fiber link 23 and server 21B, cyber-assaults may include virus 633, man in the middle attacks 630, government surveillance 640, and denial of service attacks 641. The last mile of the communication network offers an even more extensive opportunity for malware and cyber-assaults, divided into three sections, the local telco/network, the last link, and the device. The local telco/network as shown comprises high-speed fiber 24, router 27, cable CMTS 101, cable/fiber 105, cable modem 103, WiFi antenna 26, and LTE radio tower 25. In this portion of the network radio sniffer 632, spyware 631, virus 633, and man in the middle attacks 630 are all possible.
In the last link, the local connection to the device, the network connection comprises wireline 104, WiFi 29 link, and LTE/radio 28 link subject to spyware 631, radio sniffer 632, wiretap 637, and faux tower 638. The device itself, including for example tablet 33, notebook 35, desktop 36 but may also include smartphones, smart TVs, POS terminals, etc. are subject to a number of attacks including spyware 631, Trojan horse 634, virus 633, and worm 636.
Such surveillance methods and spy devices are readily available in the commercial and online marketplace. FIG. 41A illustrates two such devices, device 650 used for monitoring traffic on Ethernet local area networks, and device 651 providing the same features for monitoring WiFi data. Two commercially available devices, 652 and 653, used for monitoring cellular communications are shown in FIG. 41B. While in the network graphic of FIG. 39, sniffing 632 of optical fiber cloud connections 23 was not identified as a threat, during research it became evident that a non-invasive data sniffer for optical communications, i.e. one where the fiber need not be cut or its normal operation impaired even temporarily, now exists. As shown in FIG. 41C, device 655 performs optical fiber communications sniffing by capturing light leakage at a sharp bend in optical fiber 656. Provided the protecting sheathing is removed beforehand, inserting optical fiber 656 into a clamp in device 655, forces fiber 656 into a small radius U-turn where light 657 leaks into photosensor 659 which is carried by electronic cabling 660 to laptop 661 for analysis.
Aside from using hacking and surveillance methods, a wide variety of commercial spyware is readily available for monitoring cell phone conversations and Internet communications. The table shown in FIG. 42 compares the feature on the top 10 rated spyware programs, advertising benefit such as the ability to beneficially spy on your employees, your kids, and your spouse. The feature set is surprisingly comprehensive including spying on calls, photos and videos, SMS/MMS texting, third party instant messaging, emails, GPS location tracking, Internet use, address book, calendar events, bugging, control apps, and even remote control features, together comprising a frighteningly convincing number of a ways to violate cyberprivacy.
In fact cyber-assaults have now become so frequent, they are tracked on a daily basis. One such tracking site, shown in FIG. 43, displays security breaches and digital attacks on a global map including the location, duration and type of attack mounted. To launch a cyber-assault generally involves several stages or combination of techniques, including:
IP packet sniffing
Port interrogation
Profiling
Imposters
Packet-hijacking
Cyber-infections
Surveillance
Pirate administration
IP Packet Sniffing—
Using radio-monitoring devices, a cybercriminal can gain significant information about a user, their transactions, and their accounts. As shown in FIG. 44, the contents of an IP packet can be obtained or “sniffed” anywhere in the path between two users. For example, when user 675A sends a file, e.g. a photo or text, in IP packet 670 from their notebook 35 to cell phone 32 of their friend 675B, cyber pirate 630 can discover the IP packet in any number of places, either by intercepting the sender's last link 673A, the intercepting the sender's local network 672A, monitoring the cloud 671, intercepting the receiver's local telco 672B, or by intercepting the receiver's last link 673B. The observable data contained in intercepted IP packet 670 includes the Layer 2 MAC addresses of the devices used in the communication, the Layer 3 addresses of the sender of the receiving party, i.e. the packet's destination, including the transport protocol, e.g. UDP, TCP, etc. being used. The IP packet also contains, the Layer 4 port number of the sending and receiving devices potentially defining the type of service being requested, and the data file itself. If the file is unencrypted, the data contained in the file can also be read directly by cyber pirate 630.
If the payload is unencrypted, textual information such as account numbers, login sequences, and passwords can be read and, if valuable, stolen and perverted for criminal purposes. If the payload contains video or pictographic information, some added work is required to determine which Layer 6 application-format the content employs, but once identified the content can be viewed, posted publically, or possibly used for blackmailing one or both of the communicating parties. Such cyber-assaults are referred to as a “man in the middle attack” because the cyber-pirate doesn't personally know either communicating party.
As described previously, since IP packet routing in the cloud is unpredictable, monitoring the cloud 671 is more difficult because cyber pirate 630 must capture and the IP packet's important information when it first encounters it, because subsequent packets may not follow the same route and the sniffed packet. Intercepting data in the last mile has a greater probability to observe a succession of related packets comprising the same conversation, because local routers normally follow a prescribed routing table, at least until packets reach a POP outside the customer's own carrier. For example, a client of Comcast will likely pass IP packets up the routing chain using an entirely Comcast-owned network till the packet moves geographically beyond Comcast's reach and customer service region.
If a succession of packets between the same two IP addresses occurs for a sufficiently long time, an entire conversation can be recreated piecemeal. For example, if SMS text messages are passed over the same network in the last mile, cyber pirate 630 can identify through the IP addresses and port #s that multiple IP packets carrying the text represent a conversation between the same two devices, i.e. cell phone 32 and notebook 35. So even if an account number and password were texted in different messages or sent incompletely spread over many packets, the consistency of the packet identifiers still makes it possible for a cyber pirate to reassemble the conversation and steal the account info. Once the account info is stolen, they can either transfer money to an offshore bank or even usurp the account authority by changing the account password and security questions, i.e. using identity theft on a temporary basis.
Even if the payload is encrypted, the rest of IP packet 670 including the IP addresses and port #s are not. After repeatedly sniffing a large number of IP packets, a cyber pirate with access to sufficient computing power can by shear brute force, systematically try every combination until they break the encryption password. Once the key is broken, the packet and all subsequent packets can be decrypted and used by cyber pirate 630. The probability of cracking a login password by “password guessing” greatly improves if the packet sniffing is combined with user and account “profiling” described below. Notice in “man in the middle attacks” the communicating devices are not normally involved because the cyber pirate does not have direct access to them.
Port Interrogation—
Another method to break into a device is to use its IP address to interrogate many Layer 4 ports and see if any requests receive a reply. As illustrated in FIG. 45, once cyber pirate 680 identifies from packet sniffing or other means than cell phone 32 with an IP address “CP” is the targeted device, cyber pirate 680 launches a sequence of interrogations to ports on cell phone 32 looking for any unsecure or open port, service and maintenance port, or application backdoor. While a hacker's interrogation program can systematically cycle through every port #, attacks generally focus on notoriously vulnerable ports such as port #7 for ping, port #21 for FTP, port # for telnet terminal emulation, port #25 for simple email, and so on. As shown, by successively sending packets 680A, 680B, 680C and 680D, cyber pirate 660 waits for a response from cell phone 32, which in this example occurred of request 680D. Each time a response is sent the pirate learns something more about the operating system of the targeted device.
In the port interrogation process, cyber pirate 630 doesn't want to expose their real identity so they will use a disguised pseudo-address, listed symbolically herein as “PA” to receive messages but that is not traceable to them personally. Alternatively, cybercriminals may use a stolen computer and account, so it looks like someone else is trying to hack the targeted device, and if traced, leads investigators back to an innocent person and not to them.
Profiling—
User and account profiling is the process where a cyber pirate performs research using publically available information to learn about a target, their accounts, and their personal history in order to crack passwords, identify accounts, and determine assets. Once a hacker obtains the IP address of a target using sniffing or other means, the traceroute utility can be used to find the DNS server of the device's account. Then by utilizing the “Who is” function on the Internet, the name of the account owner can be discovered. In profiling, a cybercriminal then searches on the Internet to gather all available information on the account owner. Sources of information include public records such as property deeds, car registration, marriages and divorces, tax liens, parking tickets, traffic violations, criminal records, etc. In many cases, web sites from universities and professional societies also include home address, email addresses, phone numbers and an individual's birthdate. By researching social media sites such as Facebook, Linked In, Twitter, and others, a cybercriminal can amass a significant detailed information including family and friends, pets' names, previous home addresses, classmates, major events in someone's life, as well as photographic and video files, including embarrassing events, family secrets, and personal enemies.
The cyber pirate's next step is to use this profile to “guess” a user's passwords based on their profile to hack the target device and other accounts of the same individual. Once a cybercriminal cracks one device's password, the likelihood is great they can break into other accounts because people tend to reuse their passwords for ease of memorizing. At that point, it may be possible to steal a person's identity, transfer money, make them a target of police investigations, and essentially destroy someone's life while stealing all their wealth. For example, as described in the opening section of this disclosure, amassing a long list of passwords from stolen accounts, cybercriminals used the same passwords to illegally purchase millions of dollars of premium tickets to concerts and sporting events using the same passwords and login information.
Imposters—
When a cyber pirate impersonates someone they are not or uses illegally obtained cyber-security credentials to gain access to communication and files under the false pretense of being an authorized agent or device, the cyber-pirate is acting as an “imposter”. The imposter type of cyber-assault can occur when a cybercriminal has sufficient information or access to an individual's account to usurp a victim's account, sending messages on their behalf and misrepresenting them as the owner of the hacked account. Recently, for example, a personal friend of one of the inventors had her “Line” personal messenger account hacked. After taking over the account, the cybercriminal sent messages to her friends misrepresenting that “she had a car accident and needed money as an emergency loan”, including providing wiring instructions for where to send the money. Not knowing the account had been hacked her friends thought the request was real and rushed to her financial rescue. To avoid suspicion, the request sent to each friend was under $1,000 USD. Fortunately just before wiring money, one of her friends called her to double check the wiring info, and the fraud was uncovered. Without calling, no one would have never known the requests were from an imposter and the Line account owner would never have known the wire had been sent or even requested.
Another form of misrepresentation occurs when a device has granted security privileges and is enabled to exchange information with a server or other network-connected device, and by some means a cyber-pirate device disguises itself as the authorized server, whereby the victim's device willingly surrenders files and information to the pirate server not realizing the server is an imposter. This method was reportedly used to lure celebrities to backup private picture files with iCloud, except that the backup cloud was an imposter.
Another form of imposter occurs when someone with physical access to a person's phone or open browser performs an imposter transaction such as sending an email, answering a phone call, sending a text message from another person's account or device. The receiving party assumes because they are connected to a known device or account, that the person operating that device or account is its owner. The imposter can be a prank such as a friend posting embarrassing comments of Facebook or can be of a more personal nature where someone's spouse answers personal calls or intercepts private text messages of a private nature. The result of the unauthorized access can lead to jealousy, divorce, and vindictive legal proceedings. Leaving a device temporarily unsupervised in an office or café, e.g. to run to the toilet, presents another risk for an imposter to quickly access personal or corporate information, send unauthorized emails, transfer files, or download some form of malware into the device, as described in the following section entitled “infections”.
Imposter-based cyber-assault is also significant when a device is stolen. In such events, even though the device is logged out, the thief has plenty of time in which to break the login code. The “find my computer” feature that is supposed to locate the stolen device on the network and wipe a computer's files the first time the cyber pirate logs on to the device, no longer works because tech-savvy criminals today know to activate the device only where there is no cellular or WiFi connection. This risk is especially great in the case of cell phones where the passline security is a simple four-number personal identification number or PIN. It's only a matter of time to break a PIN since there are only 9999 possible combinations.
The key issue to secure any device is to prevent access to imposters. Preventing imposters requires a robust means to authenticate a user's identity at regular intervals and to insure they are only authorized to access the information and privileges they need. Device security is oftentimes the weakest link in the chain. Once a device's security is defeated, the need for robust network security is moot.
Packet Hijacking—
Packet hijacking comprises a cyber-assault where the normal flow of packets through the network is diverted through a hostile device. This example is shown in FIG. 46, where notebook 35 with an IP address “NB” and an ad hoc port #9999 is sending a file as IP packet 670 to a cell phone (not shown) having an IP address “CP” and a FTP data port #20. Under normal circumstances IP packet 670 would traverse a route from notebook 35 to WiFi router 26 and on to router 27 connected by high-speed wireline connection 24 to server 22A in the cloud.
If however, the integrity of router 27 has been compromised by a cyber-assault from cyber pirate 630, IP packet 670 can be rewritten into IP packet 686A, for the sake of clarity shown in abridged form where only the IP addresses and port #s are shown. To divert the IP package the destination address and port # are changed from the cell phone to that of the cyber pirate device 630, specifically to IP address “PA” and port #20000. Cyber pirate device 630 then obtains whatever information it needs from the payload of the IP packet and possibly changes the content of the IP packet's payload. The fraudulent payload may be used to commit any number of fraudulent crimes, to gather information, or to download malware into the cell phone, described subsequently herein under the topic “infections”.
The hijacked packet, IP packet 686B, is then retrofitted to appear like the original IP packet 670 with source IP address “NB” from port #9999 sent to cell phone IP address “CP” at port #20, except that the packet travels over wireline connection 685B instead of wireline connection 24. Alternatively the hijacked IP packet can be returned to compromised router 27 and then sent on to the cloud via wireline connection 24. In order to maximize the criminal benefit of packet hijacking, cyber pirate 630 needs to hide their identity in the packet hijacking, and for that reason they disguise the true routing of the IP packet so even the Layer 3 ICMP function “traceroute” would have difficulty in identifying the true path of the communication. If, however, the hijacking adds noticeable delay in packet routing, the unusual latency may prompt investigation by a network operator.
Cyber-Infections—
One of the most insidious categories of cyber-assault is that of “cyber-infections”, installing malware into targeted devices or the network by which to gather information, commit fraud, redirect traffic, infect other devices, impair or shut down systems, or to cause denial of service failures. Cyber infections can be spread through emails, files, web sites, system extensions, application programs, or through networks. One general class of malware, “spyware” described in the table of FIG. 42 gathers all kinds of transactional information and passes it on to a cyber pirate. In the case of“phishing”, a wen page or an application shell that appears like a familiar login page asks for account login or personal information then forwards the information to a cyber pirate. Still other malware infections can take control of hardware, e.g. control a router to execute the aforementioned packet hijacking. In these cases, the cyber pirate is attempting to gain information or control beneficially for their own purposes.
Another class of cyber-infections comprising viruses, worms, and Trojan-horses is designed to overwrite critical files, or to execute meaningless functions repeatedly to prevent a device from doing its normal tasks. Basically to deny services, degrade performance, or completely kill a device. These malevolent infections are intrinsically destructive and used for vindictive purposes, to disable a competitor's business from normal operation, or simply motivated for fun by a hacker wanting to see if it's possible.
Surveillance—
Bugging and surveillance goes beyond cybercrime. In such instances a private detective or an acquaintance is hired or coerced to installing a device or program into the target's personal devices to monitor their voice conversations, data exchanges, and location. The risk of being caught is greater because the detective must gain temporary access to the target device without the subject knowing it. For example, SIM cards are commercially available that can copy a phone's network access privileges but concurrently transmit information to a cybercriminal monitoring the target's calls and data traffic.
Other forms of surveillance involve the use of clandestine video cameras to monitor a person's every action and phone call, much as those located in casinos. Through video monitoring, a device's password or PIN can be learned simply by observing a user's keystrokes during their login process. With enough cameras in place, eventually once will record the login process. To access a camera network without raising suspicion, a cyber pirate can hack an existing camera surveillance system on buildings, in stores, or on the streets, and through access to someone's else's network monitor the behavior of unsuspecting victims. Combining video surveillance with packet sniffing provides an even more comprehensive data set for subsequently launching cyber-assaults.
Pirate Administration (Infiltration)—
One other means by which cyber pirates are able to gain information is by hacking and gaining access to system administration rights of a device, server, or network. So rather than gaining unauthorized access to one user's account, by hacking the system administrator's login, significant access and privileges become available to the cyber pirate without the knowledge of those using the system. Since the system administrator acts as a system's police, there is no one to catch their criminal activity—in essence; in a system or network with corrupted administration there is no one able to police the police.
Conclusion—
The ubiquity and interoperability that the Internet, packet-switched networks, and the nearly universal adoption of the seven-layer open source initiative network model, has over the last twenty years enabled global communication to expand on an unparalleled scale, connecting a wide range of devices ranging from smartphone to tablets, computers, smart TVs, cars and even to home appliances and light bulbs. The global adoption of the Internet Protocol or IP as the basis for Ethernet, cellular, WiFi, and cable TV connectivity not only has unified communication, but has greatly simplified the challenge for hackers and cybercriminals attempting to invade as many devices and systems as possible. Given the plethora of software and hardware methods now available to attack today's communication networks, clearly no single security method is sufficient as a sole defense. Instead what is needed is a systematic approach to secure every device, last-link, local telco/network and cloud network to insure their protection against sophisticated cyber-assaults. The methods utilized should deliver intrinsic cybersecurity and cyberprivacy without sacrificing QoS, network latency, video or sound quality. While encryption should remain an important element of developing this next generation in secure communication and data storage, the network's security must not rely solely on encryption methodologies.